CVE-2026-8838

Remote Code Execution via eval() Injection in amazon-redshift-python-driver

CVSS 9.3 CRITICALEPSS 0.8%CWE-94

Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client. To remediate this issue, users should upgrade to version 2.1.14.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

AWS · Amazon Redshift connector for Python

public PoCs found — 1

githubgithub.com/Maxime288/CVE-2026-8838-RCE★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://aws.amazon.com/security/security-bulletins/2026-033-aws/https://github.com/aws/amazon-redshift-python-driver/releases/tag/v2.1.14 https://github.com/aws/amazon-redshift-python-driver/security/advisories/GHSA-29h4-r29x-hchv