GHSA-rq6v-x3j8-7qgf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rq6v-x3j8-7qgf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rq6v-x3j8-7qgf/GHSA-rq6v-x3j8-7qgf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rq6v-x3j8-7qgf
- Aliases
-
- CVE-2026-8597
- Published
- 2026-05-21T17:56:39Z
- Modified
- 2026-05-21T18:00:09.131968672Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 6.4 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVSS Calculator
- Summary
- Amazon SageMaker Python SDK is missing integrity verification in its Triton inference handler
- Details
-
Summary
Amazon SageMaker Python SDK is an open-source library for training and deploying machine learning models on Amazon SageMaker. An issue exists where, under certain circumstances, the Triton inference handler deserializes model artifacts without performing integrity verification, allowing specially crafted pickle payloads to execute arbitrary code.
Impact
When using ModelBuilder with the Triton inference server, the Triton handler did not perform integrity verification before deserializing model artifacts. A remote authenticated actor with S3 write access to the model artifact path could replace model files with a crafted payload that would execute automatically on the next container lifecycle event, achieving code execution with the SageMaker execution role's IAM permissions.
Impacted versions: >= v2.199.0 AND <= v2.257.1, >= v3.0.0 AND <= v3.7.1
Patches
This issue has been addressed in Amazon SageMaker Python SDK v2.257.2 and v3.8.0. The Triton inference handler now performs integrity verification before deserializing model artifacts. AWS recommend upgrading to the latest version and rebuilding any Triton models previously created with ModelBuilder using the updated SDK. Ensure any forked or derivative code is patched to incorporate the new fixes.
Workarounds
If upgrading is not immediately possible, users should restrict S3 write access to model artifact paths to only trusted principals and monitor for unintended modifications to files in model artifact S3 locations.
References
If there any questions or comments about this advisory, contact AWS Security via vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
- Database specific
{ "cwe_ids": [ "CWE-354" ], "github_reviewed": true, "github_reviewed_at": "2026-05-21T17:56:39Z", "nvd_published_at": "2026-05-14T20:17:21Z", "severity": "MODERATE" }- References
-
- https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-rq6v-x3j8-7qgf
- https://nvd.nist.gov/vuln/detail/CVE-2026-8597
- https://aws.amazon.com/security/security-bulletins/2026-031-aws
- https://github.com/aws/sagemaker-python-sdk
- https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.257.2
- https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.8.0
Affected packages
PyPI / sagemaker
Package
- Name
- sagemaker
- View open source insights on deps.dev
- Purl
- pkg:pypi/sagemaker
Affected versions
2.*
PyPI / sagemaker
Package
- Name
- sagemaker
- View open source insights on deps.dev
- Purl
- pkg:pypi/sagemaker