Data Exposure Vulnerability in Amazon SageMaker Python SDK
CVE-2026-1777

8.5HIGH

Key Information:

Vendor

Aws

Status
Sagemaker Python Sdk
Vendor
CVE Published:
2 February 2026

What is CVE-2026-1777?

The Amazon SageMaker Python SDK prior to version 3.2.0 and v2.256.0 contains a vulnerability where the ModelBuilder HMAC signing key is exposed in the cleartext response elements of the DescribeTrainingJob function. This exposure can allow an unauthorized third party, having permissions to invoke this API and to modify objects in the associated Training Jobs S3 output location, to upload malicious artifacts that could be executed during the subsequent invocation of the training job, potentially compromising the integrity of the training workflow.

Affected Version(s)

SageMaker Python SDK 3.2.0

SageMaker Python SDK 2.256.0

References

https://aws.amazon.com/security/security-bulletins/2026-0...
vendor-advisory
https://github.com/aws/sagemaker-python-sdk/security/advi...
third-party-advisory
https://github.com/aws/sagemaker-python-sdk/releases/tag/...
patch

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.