Critical Code Injection Vulnerability in amazon-redshift-python-driver

A code injection vulnerability has been identified in the amazon-redshift-python-driver, affecting versions 2.1.13 and earlier. This flaw allows a rogue server or man-in-the-middle to execute arbitrary code on the client. The vulnerability is due to insufficient validation of data received during query result processing. AWS has released version 2.1.14 to address this issue and recommends immediate upgrades. The vulnerability has been assigned CVE-2026-8838. Users of the affected driver should patch their systems promptly to mitigate risks. The issue was disclosed through a coordinated effort with researchers from the Institute of Information Engineering, Chinese Academy of Sciences. AWS has provided contact information for security inquiries.

Key Points: • Code injection vulnerability in amazon-redshift-python-driver affects versions <=2.1.13. • CVE-2026-8838 allows arbitrary code execution via rogue servers or man-in-the-middle attacks. • AWS recommends upgrading to version 2.1.14 to mitigate the identified risk.