Arbitrary Code Injection Affecting redshift-connector package, versions [,2.1.14)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Social Trends
EPSS
0.81% (53rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-REDSHIFTCONNECTOR-17111071
  • published31 May 2026
  • disclosed29 May 2026
  • creditKexin Chen

Introduced: 29 May 2026

CVE-2026-8838  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade redshift-connector to version 2.1.14 or higher.

Overview

redshift-connector is a Redshift interface library

Affected versions of this package are vulnerable to Arbitrary Code Injection due to the use of eval() on untrusted data received from the server, in the vector_in() function. An attacker can execute arbitrary code on the client system by sending malicious query responses.

If the attacker is in a MitM position, it lowers the likelihood of a successful attack (CVSS AT:P). But an attacker on the internet in control of a rogue server who can convince a client to send requests to it is also able to exploit this vulnerability, so it is assessed here as AV:N with UI:P.

CVSS Base Scores

version 4.0
version 3.1