CVE-2026-1777
Cleartext HMAC Key Exposure in SageMaker SDK Enables Code Execution
Publication date: 2026-02-02
Last updated on: 2026-02-03
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | sagemaker_python_sdk | to 2.256.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-319 | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the Amazon SageMaker Python SDK versions before v3.2.0 and v2.256.0, where the ModelBuilder HMAC signing key is included in the cleartext response elements of the DescribeTrainingJob function. This exposure allows a third party who has permissions to call this API and modify objects in the Training Jobs S3 output location to upload arbitrary artifacts. These artifacts can then be executed the next time the Training Job is invoked.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized execution of arbitrary artifacts during training jobs, potentially compromising the integrity and security of the training process. An attacker with the required permissions could inject malicious code or data, leading to data corruption, unauthorized access, or disruption of machine learning workflows.