This vulnerability (CVE-2026-8597) arises from improper validation of the integrity check value (CWE-354) in the Triton inference handler of the Amazon SageMaker Python SDK before versions v2.257.2 and v3.8.0. An attacker with remote authenticated access and S3 write permissions to the model artifact path can replace model artifacts stored in S3 with a specially crafted pickle payload. Because the SDK deserializes this payload without verifying its integrity, this can lead to remote code execution inside inference containers. The issue affects SDK versions 2.199.0 through before 2.257.2 and 3.0.0 through before 3.8.0. AWS provides patches in the specified versions and advises rebuilding Triton models with the updated SDK.

Successful exploitation allows a remote authenticated actor with S3 write access to execute arbitrary code within inference containers by replacing model artifacts with malicious payloads. This compromises confidentiality, integrity, and availability of the affected inference environment. The CVSS v3.1 base score is 7.2 (high), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.

A patch is available. AWS recommends upgrading the Amazon SageMaker Python SDK to version v2.257.2 or v3.8.0 or later. Additionally, any Triton models previously created with ModelBuilder using the affected SDK versions should be rebuilt using the updated SDK to ensure the integrity verification is enforced. Since this is a cloud service, AWS manages the underlying infrastructure, but customers must update their SDK versions and model artifacts accordingly. Refer to the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-031-aws/ for official guidance.