{"id":"CVE-2026-8838","summary":"Remote Code Execution via eval() Injection in amazon-redshift-python-driver","details":"Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client. \n\n\n\nTo remediate this issue, users should upgrade to version 2.1.14.","aliases":["GHSA-29h4-r29x-hchv"],"modified":"2026-06-18T03:54:58.238760812Z","published":"2026-05-18T20:15:37.933Z","related":["CGA-44f7-mm2v-vvg6"],"database_specific":{"cwe_ids":["CWE-94"],"cna_assigner":"AMZN","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8838.json"},"references":[{"type":"ADVISORY","url":"https://aws.amazon.com/security/security-bulletins/2026-033-aws/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8838.json"},{"type":"ADVISORY","url":"https://github.com/aws/amazon-redshift-python-driver/security/advisories/GHSA-29h4-r29x-hchv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8838"},{"type":"FIX","url":"https://github.com/aws/amazon-redshift-python-driver/releases/tag/v2.1.14"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/aws/amazon-redshift-python-driver","events":[{"introduced":"0"},{"fixed":"2b8397650dede09c609343e567ef3794f84a8662"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"2.1.13"},{"introduced":"0"},{"fixed":"2.1.14"}],"source":["AFFECTED_FIELD","DESCRIPTION","REFERENCES"]}}],"versions":["v2.1.13","v2.1.12","v2.1.11","v2.1.10","v2.1.9","v2.1.8","v2.1.7","v2.1.6","v2.1.5","v2.1.4","v2.1.3","v2.1.2","v2.1.1","v2.1.0","v2.0.918","v2.0.917","v2.0.916","v2.0.915","v2.0.914","v2.0.913","v2.0.912","v2.0.911","v2.0.910","v2.0.909","v2.0.908","v2.0.906","2.0.905","v2.0.904","v2.0.903","v2.0.902","v2.0.901","v2.0.900","v2.0.889","v2.0.888","v2.0.887","v2.0.886","v2.0.885","v2.0.884","v2.0.883","v2.0.882","v2.0.881","v2.0.880","v2.0.879","v2.0.878","v2.0.877","v2.0.876","v2.0.875","v2.0.874","v2.0.873","v2.0.872","v2.0.711","v2.0.659","v2.0.405","v2.0.399","v2.0.393","v2.0.389","v2.0.384"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-8838.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}