AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-1778: Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made b

mediumvulnerability

security

Source: NVD/CVE DatabaseFebruary 2, 2026CVE-2026-1778

Summary

Amazon SageMaker Python SDK (a library for building machine learning models on AWS) versions before v3.1.1 or v2.256.0 have a vulnerability where TLS certificate verification (the security check that confirms a website is genuine) is disabled for HTTPS connections when importing a Triton Python model, allowing attackers to use fake or self-signed certificates to intercept or manipulate data. This vulnerability has a CVSS score (a 0-10 rating of severity) of 8.2, indicating high severity.

Solution / Mitigation

Update Amazon SageMaker Python SDK to version v3.1.1 or v2.256.0 or later.

Vulnerability Details

CVSS Score

5.9(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack Type

Other

Attack SophisticationModerate

Impact (CIA+S)

integrityconfidentiality

Taxonomy References

CWE (Weakness Type)

CWE-295

Affected Vendors

Amazon

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

critical

CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi

First tracked: February 15, 2026 at 08:45 PM

Classified by LLM (prompt v3) · confidence: 95%