CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-1778

The Global Unverify: How One Line of Python Broke SageMaker TLS

Amit Schendel
Amit Schendel
Senior Security Researcher

Feb 3, 2026·5 min read·26 visits

Executive Summary (TL;DR)

The Amazon SageMaker Python SDK (< 3.1.1, < 2.256.0) globally disabled SSL certificate verification to suppress errors when downloading models. This allows attackers to intercept HTTPS traffic, inject malicious models, and achieve Remote Code Execution (RCE) via insecure deserialization.

Developers hate SSL errors. They hate them so much that sometimes, rather than fixing the certificate chain, they simply turn off validation for the entire process. This is exactly what happened in the Amazon SageMaker Python SDK. A 'quick fix' to suppress errors from the `ssl` library resulted in a global disablement of certificate verification, leaving machine learning pipelines wide open to Man-in-the-Middle (MitM) attacks and malicious model injection.

The Hook: The Convenience Trap

We have all been there. You are writing a script, trying to download a resource, and Python throws a tantrum: SSL: CERTIFICATE_VERIFY_FAILED. It is annoying. It halts development. And the top answer on StackOverflow usually involves a magical incantation that makes the error go away.

But there is a massive difference between pasting a hack into a throwaway script and embedding it into a production-grade SDK used by thousands of enterprises to manage their AI infrastructure. In CVE-2026-1778, the Amazon SageMaker Python SDK fell into the 'Convenience Trap'.

To support the Triton Inference Server, the SDK needs to download model weights (like ResNet or BERT) from repositories like torchvision. Apparently, these downloads were failing validation in certain environments. Rather than debugging the root trust store issue, the code opted for the nuclear option: telling the Python interpreter to stop caring about certificates entirely.

The Flaw: Monkeypatching Hell

The vulnerability lies in how Python handles SSL contexts. The ssl module provides a default context used by urllib, http.client, and by extension, higher-level libraries like requests and boto3 (if they rely on the standard library's context). Ideally, this context is secure by default.

The flaw in SageMaker was a classic case of "Monkeypatching." Monkeypatching is the dynamic modification of a class or module at runtime. It is a powerful feature of dynamic languages like Python, but it is also a loaded gun pointed at your foot.

The SDK included this snippet:

ssl._create_default_https_context = ssl._create_unverified_context

This single line overwrites the global default HTTPS context factory with one that performs no verification. Crucially, this doesn't just affect the code downloading the model. Once this line executes, any subsequent HTTPS connection made by that Python process—whether it's talking to AWS S3, a third-party API, or an internal microservice—will blindly trust whatever certificate it is presented with.

It is the digital equivalent of unlocking your front door to let a delivery driver in, and then welding the lock open for the rest of eternity.

The Smoking Gun: Confession in Comments

Nothing tells a story quite like a developer's comment explaining exactly why they introduced a security vulnerability. The diff for the fix reveals the thought process behind the bug. It wasn't malice; it was just an attempt to make the error messages stop.

Here is the code removed in commit 5e7a3efa7bec0a161194ffa0cef346dda93bf2c6:

# Otherwise it will complain SSL: CERTIFICATE_VERIFY_FAILED
# When trying to download models from torchvision
- ssl._create_default_https_context = ssl._create_unverified_context

The comment "Otherwise it will complain" is the smoking gun. It admits that the security controls were working as intended (blocking untrusted connections) and that the "fix" was to silence the complaint rather than solve the trust issue.

> [!NOTE] > The fix was simple: Delete the lines. By removing the override, the SDK reverts to using the system's default, secure SSL context, which validates certificates against the OS trust store.

The Exploit: From MitM to RCE

Why is an SSL bypass so dangerous in an ML context? Because of Pickles. Machine learning models (PyTorch .pth files, Scikit-learn models) are frequently serialized using Python's pickle module. pickle is notoriously insecure; unpickling a malicious file executes arbitrary code.

Here is the attack chain:

  1. Positioning: An attacker positions themselves in the network path (e.g., a compromised router, a malicious Wi-Fi hotspot, or ARP spoofing in a shared environment).
  2. Interception: The victim runs a SageMaker job that imports a Triton model. The SDK initializes and globally disables SSL verification.
  3. The Bait: The SDK attempts to download a pre-trained model (e.g., https://download.pytorch.org/models/resnet50.pth).
  4. The Switch: The attacker intercepts the request. Since verification is disabled, they present a self-signed certificate. The SDK accepts it without error.
  5. The Payload: Instead of the real ResNet50 model, the attacker serves a malicious file containing a pickled reverse shell.
  6. Execution: The SDK receives the file and loads it using torch.load() (which uses pickle). The payload triggers, and the attacker gains a shell inside the SageMaker container.

Once inside, the attacker can steal AWS credentials (often stored in environment variables like AWS_ACCESS_KEY_ID), pivot to other AWS services, or poison the training data.

The Fix: Trust, Don't Bypass

The remediation is straightforward: update your SDK. AWS released versions 3.1.1 and 2.256.0 to address this.

However, the lesson here extends beyond just upgrading a package. If you are a developer facing CERTIFICATE_VERIFY_FAILED errors, do not disable verification. Instead:

  1. Update Root CAs: Ensure your container or OS has the latest ca-certificates package.
  2. Use Custom Contexts: If you absolutely must connect to a server with a self-signed cert (e.g., internal testing), pass the verify=False flag only to that specific request session, or create a specific SSL context with the custom CA loaded.
  3. Install the CA: Add your internal CA certificate to the system trust store so the default validation works naturally.

Global monkeypatching of security primitives is a "code smell" that should trigger immediate alarms in any code review.

Official Patches

AWSAWS Security Bulletin 2026-004-AWS

Fix Analysis (1)

Technical Appendix

CVSS Score
5.9/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected Systems

Amazon SageMaker Python SDK v3.x < 3.1.1Amazon SageMaker Python SDK v2.x < 2.256.0Triton Inference Server integrations via SageMaker

Affected Versions Detail

Product
Affected Versions
Fixed Version
SageMaker Python SDK
AWS
< 3.1.13.1.1
SageMaker Python SDK
AWS
< 2.256.02.256.0
AttributeDetail
CWE IDCWE-295
Attack VectorNetwork (MitM)
CVSS v3.15.9 (Medium)
ImpactIntegrity Loss / Remote Code Execution
Root CauseGlobal SSL Context Monkeypatching
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1557Adversary-in-the-Middle
Credential Access
T1204User Execution (Malicious File)
Execution
T1059Command and Scripting Interpreter
Execution
CWE-295
Improper Certificate Validation

The software does not validate, or incorrectly validates, a certificate. This allows an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack.

Known Exploits & Detection

HypotheticalStandard MitM attack injecting a malicious Pickle file during model download.

Vulnerability Timeline

Version 3.1.1 Released (Fix)
2025-12-10
Version 2.256.0 Released (Fix)
2026-01-08
CVE-2026-1778 Published
2026-02-02

References & Sources

  • [1]Fix Commit on GitHub
  • [2]Python SSL Context Documentation

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 4 hours ago•CVE-2026-48861
2.1

CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint

CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.

Amit Schendel
Amit Schendel
4 views•7 min read
•about 5 hours ago•CVE-2026-49753
6.3

CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client

An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 5 hours ago•CVE-2026-49754
8.2

CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint

An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 6 hours ago•CVE-2026-48596
2.1

CVE-2026-48596: Improper Neutralization of CRLF Sequences in Elixir Tesla Multipart HTTP Client

CVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.

Alon Barad
Alon Barad
5 views•6 min read
•about 6 hours ago•CVE-2026-48594
8.2

CVE-2026-48594: Decompression Bomb Denial of Service in Elixir Tesla HTTP Client

An improper handling of highly compressed data (decompression bomb) vulnerability exists in the Elixir Tesla HTTP client when utilizing response decompression middlewares. By serving highly compressed responses or stacked content-encoding headers, a malicious server can cause arbitrary heap exhaustion, leading to a denial of service (DoS) crash in the BEAM virtual machine.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 7 hours ago•CVE-2026-48595
8.2

CVE-2026-48595: Cross-Origin Credential Leakage in Elixir Tesla Client via Case-Sensitive Redirect Filter Bypass

A high-severity security vulnerability in Elixir's Tesla HTTP client library (CVE-2026-48595) allows unauthenticated remote attackers to harvest sensitive credentials, including Authorization headers and cookies. The flaw resides in the 'Tesla.Middleware.FollowRedirects' component, which performs case-sensitive lookups when stripping credentials during cross-origin redirects. Because HTTP headers are case-insensitive by RFC specifications, standard canonical casing (e.g., 'Authorization') bypasses the lowercase-only blocklist, leaking tokens to untrusted external redirect destinations.

Alon Barad
Alon Barad
6 views•5 min read