The Amazon SageMaker Python SDK prior to version 3.2.0 and 2.256.0 transmits the ModelBuilder HMAC signing key in clear text as part of the DescribeTrainingJob API response. An attacker who can retrieve this key can sign malicious artifacts and place them in the training job’s S3 output location. When the training job is subsequently invoked, those artifacts are executed, providing a path to arbitrary code execution on the training infrastructure. The vulnerability compromises the confidentiality of the signing key and the integrity of training artifacts, as exemplified by CWE‑319.

All releases of the AWS SageMaker Python SDK before v3.2.0 and before v2.256.0 are affected. Users deploying this SDK in any environment, including local development, CI/CD pipelines, or on‑premises installations, must verify whether they are using one of these vulnerable releases.

The CVSS score of 8.5 indicates high severity, and the EPSS score of less than 1% suggests a very low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an actor to have permissions to call DescribeTrainingJob and to modify objects in the training job's S3 output bucket. If a single identity holds both permissions, the attacker can obtain the key, upload a malicious artifact, and trigger the training job, resulting in code execution on the training environment.