AI & LLM Vulnerabilities

Amazon SageMaker Python SDK has a vulnerability where it stores an HMAC signing key (a cryptographic secret used to verify that model files haven't been tampered with) in plaintext as an environment variable that can be read by anyone with access to certain AWS APIs. An attacker with the right permissions could steal this key, use it to forge valid model files, and run malicious code on the system running the model.

A vulnerability in Amazon SageMaker Python SDK (a tool for building machine learning models on AWS) allows an attacker with write access to S3 (Amazon's cloud storage service) to execute malicious code by replacing model files with a specially crafted pickle file (a Python format for storing objects) that isn't checked for authenticity before being used. This only affects versions before v2.257.2 and v3.8.0, and requires the attacker to already have permission to write to the storage location.

New API, an LLM gateway and AI asset management system, has a vulnerability in versions 0.11.9-alpha.1 and earlier where its SSRF protection (safeguards against server-side request forgery, where an attacker tricks a server into making unintended web requests) fails to block the address 0.0.0.0. Any user with a valid API token can exploit this by sending requests with 0.0.0.0 as the image URL, causing the server to make requests to localhost (its own system) and potentially leak sensitive data when using certain AWS configurations.

Kiro IDE (a development environment that uses AI agents to help developers) has a cross-site scripting vulnerability (XSS, where an attacker injects malicious code that runs in a web browser) in versions before 0.8.140. An attacker can exploit this by creating a malicious workspace with a crafted color theme name, and if a user opens and trusts that workspace, the attacker's code will execute on their computer.

The Bedrock AgentCore Starter Toolkit (a tool for building AI agents on AWS) before version v0.1.13 has a vulnerability where it doesn't properly verify S3 ownership (S3 is AWS's cloud storage service). This missing check could allow an attacker to inject malicious code during the build process (when the software is being compiled), potentially leading to code execution in the running application. The vulnerability only affects users who built the toolkit after September 24, 2025.

A vulnerability (CVE-2026-4270) exists in AWS API MCP Server versions 0.2.14 through 1.3.8, which is software that lets AI assistants interact with AWS services. The bug allows attackers to bypass file access restrictions (the security controls that limit which files an AI can read) and potentially read any file on the system, even when those restrictions are supposed to be enabled.

A vulnerability in sagemaker-python-sdk (a library for machine learning on Amazon SageMaker) allows OS command injection (running unauthorized system commands) if unsafe input is passed to the capture_dependencies function's requirements_path parameter, potentially letting attackers execute code remotely or disrupt service. The vulnerability affects versions before 2.214.3.

A vulnerability in the sagemaker-python-sdk library (used for machine learning on Amazon SageMaker) allows unsafe deserialization, where the NumpyDeserializer module can execute malicious code if it processes untrusted pickled data (serialized Python objects stored in a binary format). An attacker could exploit this to run arbitrary commands on a system or crash it.