5.9 CVE-2026-1778

Enriched by CISA
 

Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed.
https://nvd.nist.gov/vuln/detail/CVE-2026-1778

Categories

CWE-295 : Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate. Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key. If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname. A Go framework for robotics, drones, and IoT devices skips verification of root CA certificates by default. Chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). The code's whitespace indentation did not reflect the actual control flow (CWE-1114) and did not explicitly delimit the block (CWE-483), which could have made it more difficult for human code auditors to detect the vulnerability. Chain: router's firmware update procedure uses curl with "-k" (insecure) option that disables certificate validation (CWE-295), allowing adversary-in-the-middle (AITM) compromise with a malicious firmware image (CWE-494). Verification function trusts certificate chains in which the last certificate is self-signed. Web browser uses a TLS-related function incorrectly, preventing it from verifying that a server's certificate is signed by a trusted certification authority (CA) Web browser does not check if any intermediate certificates are revoked. Operating system does not check Certificate Revocation List (CRL) in some cases, allowing spoofing using a revoked certificate. Mobile banking application does not verify hostname, leading to financial loss. Cloud-support library written in Python uses incorrect regular expression when matching hostname. Web browser does not correctly handle '' character (NUL) in Common Name, allowing spoofing of https sites. Smartphone device does not verify hostname, allowing spoofing of mail services. Application uses third-party library that does not validate hostname. Cloud storage management application does not validate hostname. Java library uses JSSE SSLSocket and SSLEngine classes, which do not verify the hostname. chain: incorrect calculation allows attackers to bypass certificate checks. LDAP client accepts certificates even if they are not from a trusted CA. chain: DNS server does not correctly check return value from the OpenSSL EVP_VerifyFinal function allows bypass of validation of the certificate chain. chain: product checks if client is trusted when it intended to check if the server is trusted, allowing validation of signed code. Cryptographic API, as used in web browsers, mail clients, and other software, does not properly validate Basic Constraints. chain: OS package manager does not check properly check the return value, allowing bypass using a revoked certificate.

References


 

AFFECTED (from MITRE)

Vendor Product Versions
AWS SageMaker Python SDK
  • 3.1.1 [unaffected]
  • 2.256.0 [unaffected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe start end

REMEDIATION


EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
459 Creating a Rogue Certification Authority Certificate
Very High
475 Signature Spoofing by Improper Validation
High