PyPI: sagemaker

CVE-2026-1778

Safety vulnerability ID: SFTY-20260202-03913

Safety legacy ID: pyup.io-85691

Affected versions of the sagemaker package are vulnerable to Improper Certificate Validation due to SSL certificate verification being globally disabled in the Triton Python backend. The sagemaker-serve/src/sagemaker/serve/model_server/triton/model.py module overwrites ssl._create_default_https_context with ssl._create_unverified_context, causing HTTPS downloads (including model and dependency retrieval) to skip certificate checks.

PythonPyPINVDNVDGitHubGHSA
Created at: May 22, 2026Updated at: May 22, 2026

Overview

SageMaker Python SDK has Insecure TLS Configuration

Advisory

Affected versions of the sagemaker package are vulnerable to Improper Certificate Validation due to SSL certificate verification being globally disabled in the Triton Python backend. The sagemaker-serve/src/sagemaker/serve/model_server/triton/model.py module overwrites ssl._create_default_https_context with ssl._create_unverified_context, causing HTTPS downloads (including model and dependency retrieval) to skip certificate checks.

Affected Package

Affecting sagemaker package, versions
>=3.0,<3.1.1
<2.256.0

Also affects

---

How to Fix

Upgrade
sagemaker
to
3.1.1
2.256.0
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more