CVE-2026-8838
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client.
To remediate this issue, users should upgrade to version 2.1.14.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| AWS | Amazon Redshift connector for Python | 0 <= 2.1.13 | affected |
Weaknesses
- CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://github.com/aws/amazon-redshift-python-driver/releases/tag/v2.1.14
- https://aws.amazon.com/security/security-bulletins/2026-033-aws/
- https://github.com/aws/amazon-redshift-python-driver/security/advisories/GHSA-29h4-r29x-hchv
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.