CVE-2026-1778 — MEDIUM (CVSS 5.9) AI Security Vulnerability

CISO Take

If your organization uses SageMaker Python SDK with Triton inference backends, patch to v3.1.1 (v3.x) or v2.256.0 (v2.x) immediately — SSL verification was globally disabled, enabling MITM attackers to silently swap models or dependencies with malicious versions leading to RCE inside your inference containers. Exploitation requires network positioning, so prioritize patching in shared-network or multi-tenant cloud environments where blast radius is highest. No known active exploitation, but the attack surface covers every Triton workload downloading artifacts over HTTPS.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
sagemaker	pip	>= 3.0, < 3.1.1	`3.1.1`

Do you use sagemaker? You're affected.

Severity & Risk

CVSS 3.1

5.9 / 10

EPSS

0.0%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Moderate

Recommended Action

1. PATCH: Upgrade sagemaker Python package to v3.1.1 (pip install 'sagemaker>=3.1.1') or v2.256.0 ('sagemaker>=2.256.0'). Rebuild and redeploy all Triton-based SageMaker endpoints after patching. 2. AUDIT FORKS: If your team maintains a fork or vendored copy of the SageMaker SDK, manually apply commits 5e7a3ef and c809895 from the upstream repo. 3. SELF-SIGNED CERTS: Teams using internal CAs for model artifact downloads should embed the CA cert into the container image rather than relying on SDK-level overrides — the patched version requires this explicit opt-in. 4. ARTIFACT SIGNING: Independently of this CVE, implement model artifact signing (AWS Signer or Sigstore) to detect substitution attacks regardless of SSL status. 5. NETWORK CONTROLS: Apply VPC endpoint policies to restrict SageMaker containers to specific S3 buckets and model registries — reduces MITM surface. 6. DETECTION: Alert on unexpected outbound HTTPS connections from inference containers to non-approved model registries or package repos.

Classification

Supply Chain Code Execution Inference Framework AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0011.001 - Malicious Package AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2 - AI risk management process A.6.2.3 - AI supply chain security A.8.5 - Information security for AI systems A.9.3 - Security of AI system inputs

NIST AI RMF

MANAGE 3.2 - Treatment of identified AI risks MAP 5.1 - Likelihood and impact of each identified risk MEASURE 2.5 - AI risks to critical assets are identified and evaluated

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Technical Details

NVD Description

### Summary SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where SSL certificate verification was globally disabled in the Triton Python backend has been found. ### Impact Arbitrary Code Execution: Disabling SSL verification allows third parties to intercept HTTPS traffic and replace models or dependencies with inappropriate versions. This could lead to remote code execution in the Triton container. ### Impacted versions - SageMaker Python SDK v3 < v3.1.1 - SageMaker Python SDK v2 < v2.256.0 ### Patches This issue has been addressed in SageMaker Python SDK version [v3.1.1](https://github.com/aws/sagemaker-python-sdk/tree/1ab6d30401946e92fdbea18497675681649e0153) and [v2.256.0](https://github.com/aws/sagemaker-python-sdk/tree/a140cfcd12abfee10254cb4dea3bb10758e4321c). It is recommended to upgrade to the latest version immediately and ensure any forked or derivative code is patched to incorporate the new fixes. ### Workarounds Customers using self-signed certificates for internal model downloads should add their private Certificate Authority (CA) certificate to the container image rather than relying on the SDK’s previous insecure configuration. This opt-in approach maintains security while accommodating internal trusted domains. ### References If there are any questions or comments about this advisory, contact AWS Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.

Exploitation Scenario

An adversary with network access between a SageMaker Triton container and its upstream artifact source (e.g., through a compromised AWS Direct Connect appliance, a misconfigured VPC peering route, or a rogue DNS resolver) intercepts HTTPS requests made by the SDK during model loading. Because SSL verification is disabled, the TLS certificate mismatch raises no error. The attacker serves a modified PyTorch model file (.pt) or a malicious Python package from their controlled server, embedding a reverse shell or data exfiltration payload within the model's deserialization hooks (pickle-based RCE). The Triton container loads the artifact, executes the malicious code with the container's IAM role permissions, giving the attacker access to S3, Secrets Manager, or other AWS services scoped to that role — all without triggering a certificate alert or model integrity check.

Weaknesses (CWE)

CWE-295 Improper Certificate Validation Primary CWE-599 Missing Validation of OpenSSL Certificate Primary

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

Timeline

Published

February 2, 2026

Last Modified

February 3, 2026

First Seen

March 24, 2026