CVE-2026-8596: Remote Code Execution via Cleartext HMAC Key in Amazon SageMaker Python SDK
Vulnerability ID: CVE-2026-8596
CVSS Score: 7.2
Published: 2026-05-21
The Amazon SageMaker Python SDK is vulnerable to arbitrary code execution due to the cleartext storage of a symmetric HMAC signing key in job environment variables. An authenticated attacker with Describe permissions can extract this key to forge valid integrity signatures for malicious model artifacts.
TL;DR
SageMaker Python SDK leaked symmetric HMAC keys in job environment variables, allowing attackers to forge signatures and achieve RCE via malicious model artifacts.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-312
- Attack Vector: Network
- CVSS Score: 7.2 (High)
- EPSS Score: 0.10%
- Impact: Arbitrary Code Execution
- Exploit Status: Proof of Concept
- KEV Status: Not Listed
Affected Systems
- Amazon SageMaker Python SDK ModelBuilder component
- Amazon SageMaker Python SDK Serve component
- AWS SageMaker Inference Containers
-
Amazon SageMaker Python SDK (v2): >= 2.199.0, < 2.257.2 (Fixed in:
2.257.2) -
Amazon SageMaker Python SDK (v3): >= 3.0.0, < 3.8.0 (Fixed in:
3.8.0)
Mitigation Strategies
- Upgrade SageMaker Python SDK to patched versions
- Rebuild existing models using the updated SDK
- Restrict IAM roles for SageMaker API and S3 access
Remediation Steps:
- Update the Amazon SageMaker Python SDK to version 2.257.2 or 3.8.0.
- Identify all models and remote functions created with vulnerable SDK versions.
- Rebuild and redeploy identified artifacts to generate new ECDSA signatures.
- Audit IAM policies to enforce least privilege on sagemaker:DescribeTrainingJob and s3:PutObject.
References
- AWS Security Bulletin
- GitHub Advisory: GHSA-7hh5-prp2-mfh5
- v2 Release Notes
- v3 Release Notes
- Fix PR #5708
Read the full report for CVE-2026-8596 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)