Description
An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application's classpath.



To mitigate this issue, users should upgrade to version 2.2.2 or later.
Published: 2026-05-08
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An issue exists in the Amazon Redshift JDBC Driver that allows it to load and execute arbitrary classes when parsing JDBC connection URL parameters. When an attacker can influence the connection URL, they can specify a class name that is present on the application's classpath, resulting in code execution within the application’s process. This achieves complete remote code execution and is rooted in unsafe class loading (CWE‑470). The impact is high because the code runs with the application’s privileges, potentially allowing data tampering, persistence, or further lateral movement.

Affected Systems

Versions of the Amazon Redshift JDBC Driver published before 2.2.2 on any supported platform are affected. Users who have not updated to 2.2.2 or later remain at risk.

Risk and Exploitability

The CVSS score of 9.2 indicates critical severity. No EPSS data is available, but the vulnerability is not listed in the CISA KEV catalog. The exploit requires an attacker to alter the JDBC connection URL and for a suitable class to already exist on the classpath. In environments where applications construct URLs from untrusted input, the risk of exploitation is high. The attack vector is essentially remote code execution via manipulation of a JDBC connection string.

Generated by OpenCVE AI on May 8, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Amazon Redshift JDBC Driver to version 2.2.2 or later, which removes the unsafe class loading logic.
  • Ensure the application's classpath contains only trusted libraries and that no malicious or attacker-supplied classes can be loaded by the driver during URL parsing.
  • Restrict the ability to modify JDBC connection URLs to authenticated, trusted components of the application, preventing injection of malicious class names.

Generated by OpenCVE AI on May 8, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application's classpath. To mitigate this issue, users should upgrade to version 2.2.2 or later.
Title Remote Code Execution via Unsafe Class Loading in Amazon Redshift JDBC Driver
Weaknesses CWE-470
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-05-08T20:06:28.690Z

Reserved: 2026-05-08T16:01:18.527Z

Link: CVE-2026-8178

cve-icon Vulnrichment

Updated: 2026-05-08T19:56:18.831Z

cve-icon NVD

Status : Received

Published: 2026-05-08T19:16:31.827

Modified: 2026-05-08T19:16:31.827

Link: CVE-2026-8178

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T20:45:16Z

Weaknesses