Description
Missing integrity verification in the Triton inference handler in Amazon SageMaker Python SDK v2 before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to achieve code execution in inference containers via replacement of model artifacts in S3 with a specially crafted pickle payload that is deserialized without verification. This issue requires a remote authenticated actor with S3 write access to the model artifact path.



To remediate this issue, we recommend upgrading to Amazon SageMaker Python SDK v2.257.2 or v3.8.0 and rebuild any Triton models previously created with ModelBuilder using the updated SDK.
Published: 2026-05-14
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Amazon SageMaker Python SDK allows a remote authenticated actor with S3 write access to replace model artifacts with a specially crafted pickle file. The SDK loads the artifact without integrity verification, enabling the attacker to execute arbitrary code inside the inference container during Triton model initialization. The weakness is a lack of model integrity check (CWE‑354).

Affected Systems

The issue affects Amazon SageMaker Python SDK version 2 prior to 2.257.2 and version 3 prior to 3.8.0 when building Triton inference models with ModelBuilder. Any deployment that loads model artifacts from S3 using these SDK versions is vulnerable.

Risk and Exploitability

The CVSS base score of 6.4 indicates moderate severity. Exploitation requires only remote authentication and S3 write permission to the designated model artifact path; no local privileges or special network access are needed. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, so the likelihood of widespread attacks is uncertain, but the potential impact warrants immediate attention.

Generated by OpenCVE AI on May 14, 2026 at 22:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SageMaker Python SDK to version 2.257.2 or 3.8.0
  • Rebuild all Triton models that were created with ModelBuilder using the updated SDK
  • Restrict S3 write permissions on the model artifact path so that only trusted roles can modify model files

Generated by OpenCVE AI on May 14, 2026 at 22:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Missing integrity verification in the Triton inference handler in Amazon SageMaker Python SDK v2 before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to achieve code execution in inference containers via replacement of model artifacts in S3 with a specially crafted pickle payload that is deserialized without verification. This issue requires a remote authenticated actor with S3 write access to the model artifact path. To remediate this issue, we recommend upgrading to Amazon SageMaker Python SDK v2.257.2 or v3.8.0 and rebuild any Triton models previously created with ModelBuilder using the updated SDK.
Title Missing integrity verification in Triton inference handler in Amazon SageMaker Python SDK
First Time appeared Amazon Sagemaker Python Sdk
Amazon Sagemaker Python Sdk aws
Weaknesses CWE-354
CPEs cpe:2.3:a:amazon_sagemaker_python_sdk:aws:*:*:*:*:*:*:*:*
Vendors & Products Amazon Sagemaker Python Sdk
Amazon Sagemaker Python Sdk aws
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 6.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Amazon Sagemaker Python Sdk Aws
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-05-16T03:56:23.152Z

Reserved: 2026-05-14T13:39:22.704Z

Link: CVE-2026-8597

cve-icon Vulnrichment

Updated: 2026-05-15T13:30:17.059Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T20:17:21.340

Modified: 2026-05-15T14:10:31.000

Link: CVE-2026-8597

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T22:30:25Z

Weaknesses