CVE-2026-1777

7.2 HIGH

📋 TL;DR

The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 exposes the ModelBuilder HMAC signing key in cleartext via the DescribeTrainingJob API. This allows attackers with both API access and S3 write permissions to upload malicious artifacts that execute when the training job runs. Organizations using vulnerable SageMaker SDK versions are affected.

💻 Affected Systems

Products:
  • Amazon SageMaker Python SDK
Versions: All versions before v3.2.0 and v2.256.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires both DescribeTrainingJob API permissions and write access to the training job's S3 output location.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain remote code execution on SageMaker training infrastructure, potentially compromising sensitive data, manipulating ML models, or establishing persistence in AWS environments.

🟠

Likely Case

Privileged insiders or compromised accounts with appropriate permissions upload malicious code that executes during training job execution, leading to data exfiltration or resource abuse.

🟢

If Mitigated

With proper IAM controls limiting S3 write permissions and API access, impact is limited to authorized users who already have significant access.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires specific AWS permissions and knowledge of the target environment's S3 structure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.2.0 or v2.256.0

Vendor Advisory: https://aws.amazon.com/security/security-bulletins/2026-004-AWS/

Restart Required: No

Instructions:

1. Update SageMaker Python SDK using pip: 'pip install --upgrade sagemaker>=3.2.0' or 'pip install --upgrade sagemaker>=2.256.0'. 2. Verify the update with 'pip show sagemaker'. 3. Redeploy any applications using the SDK.

🔧 Temporary Workarounds

Restrict S3 Write Permissions

all

Apply IAM policies to limit write access to training job S3 output locations only to necessary services.

Limit DescribeTrainingJob API Access

all

Implement least-privilege IAM policies restricting DescribeTrainingJob API calls to authorized users only.

🧯 If You Can't Patch

  • Implement strict IAM policies to separate DescribeTrainingJob permissions from S3 write permissions for the same users.
  • Monitor CloudTrail logs for unusual DescribeTrainingJob API calls combined with S3 PutObject operations.

🔍 How to Verify

Check if Vulnerable:

Check SageMaker Python SDK version with 'pip show sagemaker | grep Version'. If version is below 3.2.0 (for v3.x) or below 2.256.0 (for v2.x), you are vulnerable.

Check Version:

pip show sagemaker | grep Version

Verify Fix Applied:

Confirm SDK version is 3.2.0 or higher (v3.x) or 2.256.0 or higher (v2.x) using 'pip show sagemaker | grep Version'.

📡 Detection & Monitoring

Log Indicators:

  • CloudTrail logs showing DescribeTrainingJob API calls followed by S3 PutObject operations to training job output locations from the same principal.

Network Indicators:

  • Unusual outbound connections from SageMaker training instances to unexpected destinations.

SIEM Query:

source="aws.cloudtrail" eventName="DescribeTrainingJob" | join type=inner eventName="PutObject" on userIdentity.arn | where requestParameters.bucketName contains "sagemaker"

📊 Metadata

CVE ID: CVE-2026-1777
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-319
Published: February 2, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This