Amazon Redshift Python Driver eval() Vulnerability in vector_in() before 2.1.14
CVE-2026-8838 Published on May 18, 2026
Remote Code Execution via eval() Injection in amazon-redshift-python-driver
Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client.
To remediate this issue, users should upgrade to version 2.1.14.
Vulnerability Analysis
CVE-2026-8838 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2026-8838 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2026-8838
stack.watch emails you whenever new vulnerabilities are published in Aws Amazon Redshift Connector Python or Amazon Aws. Just hit a watch button to start following.
Affected Versions
AWS Amazon Redshift connector for Python:- Before and including 2.1.13 is affected.