CVE-2026-1778
TLS Verification Bypass in Amazon SageMaker Python SDK Triton Import
Publication date: 2026-02-02
Last updated on: 2026-02-03
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | sagemaker_python_sdk | to 3.1.1|end_excluding=2.256.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Amazon SageMaker Python SDK versions before v3.1.1 or v2.256.0, where TLS certificate verification is disabled for HTTPS connections when a Triton Python model is imported. This means the service incorrectly allows requests with invalid or self-signed certificates to succeed, potentially exposing the system to man-in-the-middle attacks or other security risks.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to intercept or manipulate HTTPS traffic between your service and external endpoints due to the acceptance of invalid or self-signed TLS certificates. This can lead to unauthorized data modification or injection, compromising the integrity of your data and potentially leading to security breaches.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Amazon SageMaker Python SDK to version 3.1.1 or later, or version 2.256.0 or later, to ensure TLS certificate verification is properly enabled and requests with invalid or self-signed certificates are rejected.