CVE-2026-8838
9.8 CRITICALUnsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a...
Published: 2026-05-18 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-94
Description
Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client. To remediate this issue, users should upgrade to version 2.1.14.
Source: NVD
QSearch commentary
Insecure Python deserialization on server-received data is a 2010-era bug that keeps re-appearing in data-platform drivers because the driver authors trust the protocol envelope. The pattern is identical across PySpark, jsonpickle, and now this Redshift Python driver. Our Application Security and Cryptography + AI pillars share the same audit lens: any function that builds a runtime object from a network payload is presumptive guilty until verified.
— QSearch Security Research · 2026-05-19
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8838
- [Other]https://aws.amazon.com/security/security-bulletins/2026-033-aws/
- [Other]https://github.com/aws/amazon-redshift-python-driver/releases/tag/v2.1.14
- [Other]https://github.com/aws/amazon-redshift-python-driver/security/advisories/GHSA-29h4-r29x-hchv
Engagement axis
This CVE class is addressed in the QSearch continuous-protection axis.
Learn more about this axis →Related CVEs
Same CWE
- CVE-2026-46517 — LMDeploy is a toolkit for compressing, deploying, and serving large language models (7.8 HIGH)
- CVE-2026-46432 — LMDeploy is a toolkit for compressing, deploying, and serving large language models (7.8 HIGH)
- CVE-2026-47292 — Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally (7.8 HIGH)
- CVE-2026-45583 — Improper control of generation of code ('code injection') in Microsoft Exchange Server allows an unauthorized attacker to execute code ov... (7.5 HIGH)
- CVE-2026-0414 — Insufficient input validation vulnerability in the listed NETGEAR models allows authenticated administrators connected to the local netwo...