PyPI: sagemaker
CVE-2026-8597
Safety vulnerability ID: SFTY-20260521-99051
Safety legacy ID: pyup.io-98667
Affected versions of the sagemaker package are vulnerable to Insecure Deserialisation due to the ModelBuilder Triton inference handler deserialising model artifacts without performing integrity verification. The Triton handler loads artifacts retrieved from the configured S3 model artifact path through Python pickle without first validating their integrity, allowing tampered artifacts to be unpickled during container lifecycle events. A remote authenticated actor with S3 write access to the model artifact path can replace a model file with a crafted pickle payload that executes on the next container start, achieving Remote Code Execution under the SageMaker execution role's IAM permissions.
Overview
Amazon SageMaker Python SDK is missing integrity verification in its Triton inference handler
Advisory
Affected versions of the sagemaker package are vulnerable to Insecure Deserialisation due to the ModelBuilder Triton inference handler deserialising model artifacts without performing integrity verification. The Triton handler loads artifacts retrieved from the configured S3 model artifact path through Python pickle without first validating their integrity, allowing tampered artifacts to be unpickled during container lifecycle events. A remote authenticated actor with S3 write access to the model artifact path can replace a model file with a crafted pickle payload that executes on the next container start, achieving Remote Code Execution under the SageMaker execution role's IAM permissions.
Affected Package
Also affects
---
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260521-99051/CVE-2026-8597
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8597
- https://github.com/advisories/GHSA-rq6v-x3j8-7qgf
- https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-rq6v-x3j8-7qgf
- https://nvd.nist.gov/vuln/detail/CVE-2026-8597
- https://aws.amazon.com/security/security-bulletins/2026-031-aws
- https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.257.2
- https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.8.0
- https://github.com/advisories/GHSA-rq6v-x3j8-7qgf
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more