CVE-2026-8597: CVE-2026-8597: Arbitrary Code Execution via Missing Integrity Verification in Amazon SageMaker Python SDK Triton Handler

#security #cve #cybersecurity

CVE-2026-8597: Arbitrary Code Execution via Missing Integrity Verification in Amazon SageMaker Python SDK Triton Handler

Vulnerability ID: CVE-2026-8597
CVSS Score: 7.2
Published: 2026-05-21

The Amazon SageMaker Python SDK is vulnerable to arbitrary code execution due to a lack of cryptographic integrity verification in its Triton inference handler. An attacker possessing S3 write permissions can replace legitimate model artifacts with a malicious payload, resulting in code execution within the inference container upon deserialization.

TL;DR

Missing integrity checks on S3-hosted artifacts in the SageMaker Python SDK allow an authenticated attacker with S3 write access to achieve arbitrary code execution via malicious pickle deserialization.

Technical Details

CWE ID: CWE-354
Attack Vector: Network
CVSS v3.1 Score: 7.2
EPSS Score: 0.13%
Impact: Arbitrary Code Execution
Exploit Status: Unexploited
KEV Status: Not Listed

Affected Systems

Amazon SageMaker Python SDK v2
Amazon SageMaker Python SDK v3
AWS Triton Inference Handler
Amazon SageMaker Python SDK v2: 2.199.0 to 2.257.1 (Fixed in: 2.257.2)
Amazon SageMaker Python SDK v3: 3.0.0 to 3.7.1 (Fixed in: 3.8.0)

Mitigation Strategies

Upgrade Amazon SageMaker Python SDK to a patched version (2.257.2+ or 3.8.0+)
Enforce Least Privilege on IAM S3 policies restricting s3:PutObject
Implement S3 Object Lock or S3 Versioning on model artifact buckets

Remediation Steps:

Identify all environments utilizing Amazon SageMaker Python SDK Triton handlers.
Update the Python SDK dependency to 2.257.2 (for v2) or 3.8.0 (for v3).
Rebuild all existing Triton models utilizing the updated ModelBuilder component to generate cryptographic metadata.
Redeploy the rebuilt models to the inference servers.
Audit S3 bucket policies to ensure strict access controls over the model artifact paths.