CVE-2026-1777— Cleartext transmission of sensitive materials in aws/sagemaker-python-sdk
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-1777
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cleartext transmission of sensitive materials in aws/sagemaker-python-sdk
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBuilder HMAC signing key in the cleartext response elements of the DescribeTrainingJob function. A third party with permissions to both call this API and permissions to modify objects in the Training Jobs S3 output location may have the ability to upload arbitrary artifacts which are executed the next time the Training Job is invoked.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
敏感数据的明文传输
Source: NVD (National Vulnerability Database)
Vulnerability Title
Amazon SageMaker Python SDK 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Amazon SageMaker Python SDK是美国亚马逊(Amazon)公司的一个构件、训练和部署机器学习模型的开发者工具包。 Amazon SageMaker Python SDK v3.2.0之前版本和v2.256.0之前版本存在安全漏洞,该漏洞源于DescribeTrainingJob函数的明文响应中包含ModelBuilder HMAC签名密钥,可能导致第三方上传并执行任意工件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| AWS | SageMaker Python SDK | - | - |
II. Public POCs for CVE-2026-1777
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-1777
请登录查看更多情报信息。
- Security Findings in SageMaker Python SDKvendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-1777
IV. Related Vulnerabilities
Same vendor: AWS
- CVE-2026-7461
OS Command Injection in Amazon ECS Agent via FSx Windows Fil - CVE-2026-7426
Out-of-Bounds Write via Unsanitized Prefix Length in Router - CVE-2026-7425
Out-of-Bounds Read in Router Advertisement Option Parser in - CVE-2026-7424
Integer Underflow in DHCPv6 Sub-Option Parser in FreeRTOS-Pl - CVE-2026-7423
Integer Underflow in ICMP Echo Reply Processing in FreeRTOS-
Same weakness: CWE-319
- CVE-2026-45180
Catalyst::Plugin::Statsd versions through 0.10.0 for Perl ma - CVE-2026-45179
Plack::Middleware::Statsd versions before 0.9.0 for Perl may - CVE-2025-59852
HCL DFXAnalytics is affected by an Insufficient Transport - CVE-2026-7610
TRENDnet TEW-821DAP Firmware Update ssi cleartext transmissi - CVE-2026-42514
Sensitive Data Exposure Vulnerability in e-Sushrut HMIS
V. Comments for CVE-2026-1777
No comments yet