Description
Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client.



To remediate this issue, users should upgrade to version 2.1.14.
Published: 2026-05-18
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the Amazon Redshift Python Connector’s vector_in() function, which internally applies Python’s eval() to data received from the Redshift server before version 2.1.14. This unsafe usage allows a rogue server or an attacker performing a man‑in‑the‑middle attack to inject arbitrary Python code that will be executed on the client’s environment. The impact is the ability to run code of the attacker’s choice on the client machine, providing full control of that host.

Affected Systems

This flaw affects the AWS Amazon Redshift connector for Python, all releases prior to 2.1.14. Users employing the driver to connect to Redshift servers are vulnerable until the driver is upgraded to version 2.1.14 or later.

Risk and Exploitability

The CVSS score of 9.3 marks this vulnerability as critical, and while the EPSS value is not reported, the absence of a known exploit in the KEV catalog does not diminish its inherent risk. The attack can be carried out remotely by controlling the Redshift server or intercepting and manipulating data in transit. An attacker does not need local file access or elevated privileges on the client to achieve arbitrary code execution.

Generated by OpenCVE AI on May 18, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Amazon Redshift Python Connector to version 2.1.14 or later.
  • Configure connections to only trusted Redshift servers and avoid using untrusted user data in vector_in() calls.
  • Audit application code to ensure eval() is never invoked on data that originates from external or untrusted sources.

Generated by OpenCVE AI on May 18, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-29h4-r29x-hchv amazon-redshift-python-driver vulnerable to Remote Code Execution via eval() Injection
History

Tue, 19 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Amazon
Amazon redshift Connector For Python
Vendors & Products Amazon
Amazon redshift Connector For Python

Mon, 18 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client. To remediate this issue, users should upgrade to version 2.1.14.
Title Remote Code Execution via eval() Injection in amazon-redshift-python-driver
First Time appeared Aws
Aws amazon Redshift Connector For Python
Weaknesses CWE-94
CPEs cpe:2.3:a:aws:amazon_redshift_connector_for_python:*:*:*:*:*:*:*:*
Vendors & Products Aws
Aws amazon Redshift Connector For Python
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Amazon Redshift Connector For Python
Aws Amazon Redshift Connector For Python
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-05-19T12:56:12.712Z

Reserved: 2026-05-18T14:57:04.276Z

Link: CVE-2026-8838

cve-icon Vulnrichment

Updated: 2026-05-19T12:56:06.228Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-18T21:16:41.623

Modified: 2026-05-19T14:24:20.997

Link: CVE-2026-8838

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T08:18:38Z

Weaknesses