CVE-2026-1777 HIGH

CVE-2026-1777: Cleartext transmission of sensitive materials in aws/sagemaker-python-sdk

Weakness CWE-319 · Cleartext transmission

Published February 2, 2026

Last update February 4, 2026

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

Description

The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBuilder HMAC signing key in the cleartext response elements of the DescribeTrainingJob function. A third party with permissions to both call this API and permissions to modify objects in the Training Jobs S3 output location may have the ability to upload arbitrary artifacts which are executed the next time the Training Job is invoked.

Key dates

Disclosure timeline

February 2, 2026 CVE published

February 4, 2026 Record updated