PyPI: sagemaker
CVE-2026-8596
Safety vulnerability ID: SFTY-20260521-74722
Safety legacy ID: pyup.io-98666
Affected versions of the sagemaker package are vulnerable to Cleartext Storage of Sensitive Information due to the ModelBuilder/Serve component placing an HMAC signing key into a container environment variable in plaintext. When ModelBuilder builds and deploys models with the TorchServe, Multi-Model Server, TensorFlow Serving, SMD, or Triton model servers, the SDK generates an HMAC secret used for model artifact integrity verification and stores it as the SAGEMAKER_SERVE_SECRET_KEY environment variable on the SageMaker model container, which is then returned in plaintext by the DescribeModel, DescribeEndpointConfig, and DescribeModelPackage APIs. A remote authenticated actor with permission to call those describe APIs and S3 write access to the model artifact path can recover the key, forge valid integrity signatures for crafted artifacts, and execute arbitrary code in the inference container under the SageMaker execution role's IAM permissions.
Overview
Cleartext storage of HMAC signing key in Amazon SageMaker Python SDK ModelBuilder/Serve path
Advisory
Affected versions of the sagemaker package are vulnerable to Cleartext Storage of Sensitive Information due to the ModelBuilder/Serve component placing an HMAC signing key into a container environment variable in plaintext. When ModelBuilder builds and deploys models with the TorchServe, Multi-Model Server, TensorFlow Serving, SMD, or Triton model servers, the SDK generates an HMAC secret used for model artifact integrity verification and stores it as the SAGEMAKER_SERVE_SECRET_KEY environment variable on the SageMaker model container, which is then returned in plaintext by the DescribeModel, DescribeEndpointConfig, and DescribeModelPackage APIs. A remote authenticated actor with permission to call those describe APIs and S3 write access to the model artifact path can recover the key, forge valid integrity signatures for crafted artifacts, and execute arbitrary code in the inference container under the SageMaker execution role's IAM permissions.
Affected Package
Also affects
---
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260521-74722/CVE-2026-8596
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8596
- https://github.com/advisories/GHSA-7hh5-prp2-mfh5
- https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-7hh5-prp2-mfh5
- https://nvd.nist.gov/vuln/detail/CVE-2026-8596
- https://aws.amazon.com/security/security-bulletins/2026-031-aws
- https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.257.2
- https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.8.0
- https://github.com/advisories/GHSA-7hh5-prp2-mfh5
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more