CVE-2026-1778

Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://aws.amazon.com/security/security-bulletins/2026-004-AWS/
https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0
https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.1.1
https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-62rc-f4v9-h543

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) El SDK de Python de Amazon SageMaker anterior a la v3.1.1 o v2.256.0 deshabilita la verificación de certificados TLS para las conexiones HTTPS realizadas por el servicio cuando se importa un modelo de Python de Triton, permitiendo incorrectamente que las solicitudes con certificados no válidos y autofirmados tengan éxito.

03 Feb 2026, 16:16

Type	Values Removed	Values Added
References		() https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0 - () https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.1.1 - () https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-62rc-f4v9-h543 -

02 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-02 23:16

Updated : 2026-04-15 00:35

NVD link : CVE-2026-1778

Mitre link : CVE-2026-1778

CVE.ORG link : CVE-2026-1778

JSON object : View

Products Affected

No product.

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2026-1778", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-02T23:16:04.283", "references": [{"url": "https://aws.amazon.com/security/security-bulletins/2026-004-AWS/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.1.1", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-62rc-f4v9-h543", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed."}, {"lang": "es", "value": "El SDK de Python de Amazon SageMaker anterior a la v3.1.1 o v2.256.0 deshabilita la verificaci\u00f3n de certificados TLS para las conexiones HTTPS realizadas por el servicio cuando se importa un modelo de Python de Triton, permitiendo incorrectamente que las solicitudes con certificados no v\u00e1lidos y autofirmados tengan \u00e9xito."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}