TLS Certificate Verification Bypass in Amazon SageMaker Python SDK
CVE-2026-1778

8.2HIGH

Key Information:

Vendor

Aws

Status
Sagemaker Python Sdk
Vendor
CVE Published:
2 February 2026

What is CVE-2026-1778?

The Amazon SageMaker Python SDK versions before v3.1.1 and v2.256.0 exhibit a vulnerable configuration that disables TLS certificate verification for HTTPS connections when importing Triton Python models. This flaw enables the service to accept requests that utilize invalid or self-signed certificates, potentially exposing users to man-in-the-middle attacks and compromising data security. It is crucial for users to upgrade to the latest versions to mitigate this risk.

Affected Version(s)

SageMaker Python SDK 3.1.1

SageMaker Python SDK 2.256.0

References

https://aws.amazon.com/security/security-bulletins/2026-0...
vendor-advisory
https://github.com/aws/sagemaker-python-sdk/security/advi...
third-party-advisory
https://github.com/aws/sagemaker-python-sdk/releases/tag/...
patch

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.