Amazon SageMaker Python SDK: RCE via Missing Integrity Verification (CVE-2026-8597)
The National Vulnerability Database has detailed CVE-2026-8597, a critical vulnerability in Amazon SageMaker Python SDK v2 (before v2.257.2) and v3 (before v3.8.0). This flaw stems from missing integrity verification in the Triton inference handler, potentially allowing a remote authenticated attacker to achieve code execution within inference containers.
The attack vector involves replacing legitimate model artifacts in S3 with a specially crafted pickle payload. This payload is then deserialized without proper verification, leading to arbitrary code execution. Crucially, successful exploitation requires a remote authenticated actor with S3 write access to the specific model artifact path, which limits the attack surface but doesn’t negate the severity.
Defenders must prioritize upgrading their Amazon SageMaker Python SDK to v2.257.2 or v3.8.0 immediately. Furthermore, any Triton models previously built with ModelBuilder using the vulnerable SDK versions must be rebuilt using the updated SDK to ensure integrity. This is not a ‘patch and forget’ scenario; model rebuilds are essential to eliminate the embedded risk.
What This Means For You
- If your organization leverages Amazon SageMaker Python SDK for Triton inference, you are exposed. This isn't theoretical; it's a direct path to code execution if an attacker gains S3 write access. Immediately verify your SDK versions and rebuild all Triton models created with older versions. This is a supply chain integrity issue within your AI/ML pipeline.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-8597: Suspicious Pickle Payload Deserialization in SageMaker Triton Inference
title: CVE-2026-8597: Suspicious Pickle Payload Deserialization in SageMaker Triton Inference
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
This rule detects the execution of 'pickle.loads' within a Python process, which is a key indicator of the vulnerability exploitation. The vulnerability allows an authenticated actor to upload a malicious pickle payload to S3, which is then deserialized without verification by the Triton inference handler in SageMaker Python SDK, leading to RCE. This rule specifically targets the deserialization step.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-8597/
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
detection:
selection:
Image|contains:
- 'python'
CommandLine|contains:
- 'pickle.loads'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-8597 | RCE | Amazon SageMaker Python SDK v2 before v2.257.2 |
| CVE-2026-8597 | RCE | Amazon SageMaker Python SDK v3 before v3.8.0 |
| CVE-2026-8597 | Deserialization | Triton inference handler |
| CVE-2026-8597 | Code Execution | Missing integrity verification of model artifacts in S3 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 23:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-45370: python-utcp Exposes Process Secrets via Environment Variables
CVE-2026-45370 — python-utcp is the python implementation of UTCP. Prior to 1.1.3, _prepare_environment() in cli_communication_protocol.py passes a full copy of os.environ to every CLI subprocess....
CVE-2026-45369: Python-UTCP RCE via Unsanitized Shell Commands
CVE-2026-45369 — python-utcp is the python implementation of UTCP. Prior to 1.1.3, the _substitute_utcp_args method in cli_communication_protocol.py inserts user-controlled tool_args values directly into shell command...
CVE-2026-44673: libyang Integer Overflow Leads to Heap Corruption
CVE-2026-44673 — libyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a...