Security Findings in SageMaker Python SDK

AWS released a security bulletin detailing two vulnerabilities within the SageMaker Python SDK. The first vulnerability, CVE-2026-1777, concerns an exposed HMAC key used for protecting data integrity. This key is stored in environment variables and disclosed through the DescribeTrainingJob API. Attackers with DescribeTrainingJob permissions can extract this key, manipulate data, and overwrite S3 objects. Impacted versions include specific builds within the v2 and v3 versions of the SDK. The second vulnerability, CVE-2026-1778, involves an insecure TLS configuration. This issue globally disables SSL certificate verification in the Triton Python backend. This configuration was introduced to bypass SSL errors when downloading models from public sources. This invalidates the security of HTTPS connections when the Triton Python model is imported. The vulnerability impacts specific builds within the v2 and v3 versions of the SDK as well. These vulnerabilities can be exploited to compromise the integrity and security of SageMaker model training and deployment. Users are advised to review the provided article for comprehensive information and remediation steps. Immediate attention is required to address these critical security risks. The bulletin emphasizes the importance of promptly updating to the patched SDK versions. By addressing these issues, users can protect their machine-learning workflows on AWS.