VulnerableCode Package Details - pkg:pypi/sagemaker@3.2.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-pvdy-d4xb-5ygq Aliases: GHSA-5r2p-pjr8-7fh7	SageMaker Python SDK replaced eval() with safe parser in JumpStart search functionality This advisory addresses the use of the search_hub() function within the SageMaker Python SDK's JumpStart search functionality. An actor with the ability to control query parameters passed to the search_hub() function could potentially provide malformed input that causes the eval() function to execute arbitrary commands, access sensitive data, or compromise the execution environment. A defense-in-depth enhancement has been implemented to replace code evaluation with safe string operations when processing search query parameters. This enhancement removes the use of eval() from the execution path, replacing it with a safe recursive descent parser. The change was released in SageMaker Python SDK version 3.4.0 on January 23, 2026. This advisory is informational to help customers understand their responsibilities regarding input validation and configuration security under the [AWS Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/).	3.4.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-pvdy-d4xb-5ygq
Aliases:
GHSA-5r2p-pjr8-7fh7

SageMaker Python SDK replaced eval() with safe parser in JumpStart search functionality This advisory addresses the use of the search_hub() function within the SageMaker Python SDK's JumpStart search functionality. An actor with the ability to control query parameters passed to the search_hub() function could potentially provide malformed input that causes the eval() function to execute arbitrary commands, access sensitive data, or compromise the execution environment. A defense-in-depth enhancement has been implemented to replace code evaluation with safe string operations when processing search query parameters. This enhancement removes the use of eval() from the execution path, replacing it with a safe recursive descent parser. The change was released in SageMaker Python SDK version 3.4.0 on January 23, 2026. This advisory is informational to help customers understand their responsibilities regarding input validation and configuration security under the [AWS Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/).

3.4.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-9q6x-5ac2-m3gj	SageMaker Python SDK has Exposed HMAC SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where the HMAC secret key is stored in environment variables and disclosed via the DescribeTrainingJob API has been identified.	CVE-2026-1777 GHSA-rjrp-m2jw-pv9c

Vulnerability

Summary

Aliases

VCID-9q6x-5ac2-m3gj

SageMaker Python SDK has Exposed HMAC SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where the HMAC secret key is stored in environment variables and disclosed via the DescribeTrainingJob API has been identified.

CVE-2026-1777
GHSA-rjrp-m2jw-pv9c

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T07:13:13.940517+00:00	GitLab Importer	Affected by	VCID-pvdy-d4xb-5ygq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/sagemaker/GHSA-5r2p-pjr8-7fh7.yml	38.6.0
2026-06-05T21:57:49.840376+00:00	GHSA Importer	Fixing	VCID-9q6x-5ac2-m3gj	https://github.com/advisories/GHSA-rjrp-m2jw-pv9c	38.6.0
2026-06-04T16:55:39.334544+00:00	GithubOSV Importer	Fixing	VCID-9q6x-5ac2-m3gj	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-rjrp-m2jw-pv9c/GHSA-rjrp-m2jw-pv9c.json	38.6.0
2026-06-02T04:49:51.097673+00:00	GitLab Importer	Fixing	VCID-9q6x-5ac2-m3gj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/sagemaker/CVE-2026-1777.yml	38.6.0