CVE-2026-8838

Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client.

To remediate this issue, users should upgrade to version 2.1.14.

Database specific

{
    "cna_assigner": "AMZN",
    "cwe_ids": [
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8838.json"
}

References

Affected packages

Git / github.com/aws/amazon-redshift-python-driver

Affected ranges

Type

GIT

Repo

https://github.com/aws/amazon-redshift-python-driver

Events

Introduced

Fixed

2b8397650dede09c609343e567ef3794f84a8662

Database specific

{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.1.13"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "2.1.14"
        }
    ]
}

Affected versions

2.*

2.0.905

v2.*

v2.0.384

v2.0.389

v2.0.393

v2.0.399

v2.0.405

v2.0.659

v2.0.711

v2.0.872

v2.0.873

v2.0.874

v2.0.875

v2.0.876

v2.0.877

v2.0.878

v2.0.879

v2.0.880

v2.0.881

v2.0.882

v2.0.883

v2.0.884

v2.0.885

v2.0.886

v2.0.887

v2.0.888

v2.0.889

v2.0.900

v2.0.901

v2.0.902

v2.0.903

v2.0.904

v2.0.906

v2.0.908

v2.0.909

v2.0.910

v2.0.911

v2.0.912

v2.0.913

v2.0.914

v2.0.915

v2.0.916

v2.0.917

v2.0.918

v2.1.0

v2.1.1

v2.1.10

v2.1.11

v2.1.12

v2.1.13

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.6

v2.1.7

v2.1.8

v2.1.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-8838.json"