PT-2026-5708 · Amazon · Amazon Sagemaker Python Sdk
Published
2026-02-02
·
Updated
2026-02-03
·
CVE-2026-1777
CVSS v4.0
8.5
High
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Amazon SageMaker Python SDK versions prior to 3.2.0
Amazon SageMaker Python SDK versions prior to 2.256.0
Description
The Amazon SageMaker Python SDK contains the ModelBuilder HMAC signing key in cleartext within the response elements of the
DescribeTrainingJob function. An attacker with permissions to call this API and modify objects in the Training Jobs S3 output location could potentially upload arbitrary artifacts. These artifacts may be executed when the Training Job is invoked.Recommendations
Update to Amazon SageMaker Python SDK version 3.2.0 or later.
Update to Amazon SageMaker Python SDK version 2.256.0 or later.
Fix
Cleartext Transmission of Sensitive Information
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Amazon Sagemaker Python Sdk