CVE-2026-8596: Cleartext storage of HMAC signing key in Amazon SageMaker Python SDK ModelBuilder/Serve path
Amazon SageMaker Python SDK is an open-source library for training and deploying machine learning models on Amazon SageMaker. An issue exists where, under certain circumstances, the ModelBuilder/Serve component stores an HMAC signing key in cleartext as a container environment variable, which is returned in plaintext by SageMaker describe APIs.
References
- aws.amazon.com/security/security-bulletins/2026-031-aws
- github.com/advisories/GHSA-7hh5-prp2-mfh5
- github.com/aws/sagemaker-python-sdk/releases/tag/v2.257.2
- github.com/aws/sagemaker-python-sdk/releases/tag/v3.8.0
- github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-7hh5-prp2-mfh5
- nvd.nist.gov/vuln/detail/CVE-2026-8596
Code Behaviors & Features
Detect and mitigate CVE-2026-8596 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →