This security bulletin addresses vulnerabilities in the Amazon SageMaker Python SDK, impacting model deployment. The ModelBuilder component of the SDK simplifies model deployment, but contains weaknesses. Two critical vulnerabilities are identified, categorized as CVE-2026-8596 and CVE-2026-8597. CVE-2026-8596 involves the insecure storage and exposure of an HMAC signing key. This key is stored in plaintext and accessible through SageMaker describe APIs. An attacker could exploit this to forge signatures and execute malicious code in inference containers. CVE-2026-8597 highlights a lack of integrity verification in the Triton inference handler. This flaw allows the deserialization of model artifacts without checks, enabling code execution through crafted pickle payloads. The affected versions are within specific ranges of the SageMaker Python SDK, namely versions 2.199.0 through 2.257.1 and 3.0.0 through 3.7.1. These vulnerabilities could lead to remote code execution within the SageMaker environment. This means an unauthorized user could potentially execute commands and compromise model integrity. Users should consult the linked security bulletin for detailed remediation steps. This bulletin emphasizes the importance of promptly addressing these critical security issues.