CVE-2026-1778
Unknown Unknown - Not Provided

TLS Verification Bypass in Amazon SageMaker Python SDK Triton Import

Vulnerability report for CVE-2026-1778, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-02

Last updated on: 2026-02-03

Assigner: AMZN

Description

Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-02
Last Modified
2026-02-03
Generated
2026-07-06
AI Q&A
2026-02-03
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
amazon sagemaker_python_sdk to 3.1.1|end_excluding=2.256.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Amazon SageMaker Python SDK versions before v3.1.1 or v2.256.0, where TLS certificate verification is disabled for HTTPS connections when a Triton Python model is imported. This means the service incorrectly allows requests with invalid or self-signed certificates to succeed, potentially exposing the system to man-in-the-middle attacks or other security risks.

Impact Analysis

The vulnerability can impact you by allowing attackers to intercept or manipulate HTTPS traffic between your service and external endpoints due to the acceptance of invalid or self-signed TLS certificates. This can lead to unauthorized data modification or injection, compromising the integrity of your data and potentially leading to security breaches.

Mitigation Strategies

Upgrade the Amazon SageMaker Python SDK to version 3.1.1 or later, or version 2.256.0 or later, to ensure TLS certificate verification is properly enabled and requests with invalid or self-signed certificates are rejected.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1778. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart