CVE-2026-8178

Source
https://cve.org/CVERecord?id=CVE-2026-8178
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8178.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-8178
Aliases
Published
2026-05-08T18:36:46.950Z
Modified
2026-07-08T08:13:51.938271243Z
Severity
  • 9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Remote Code Execution via Unsafe Class Loading in Amazon Redshift JDBC Driver
Details

An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application's classpath.

To mitigate this issue, users should upgrade to version 2.2.2 or later.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8178.json",
    "cna_assigner": "AMZN",
    "cwe_ids": [
        "CWE-470"
    ]
}
References

Affected packages

Git / github.com/aws/amazon-redshift-jdbc-driver

Affected ranges

Type
GIT
Repo
https://github.com/aws/amazon-redshift-jdbc-driver
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

2.*
2.1.0.11
v2.*
v2.0.0.0
v2.0.0.1
v2.0.0.2
v2.0.0.3
v2.0.0.4
v2.0.0.5
v2.0.0.6
v2.0.0.7
v2.1.0.1
v2.1.0.10
v2.1.0.11
v2.1.0.12
v2.1.0.13
v2.1.0.14
v2.1.0.16
v2.1.0.17
v2.1.0.18
v2.1.0.19
v2.1.0.2
v2.1.0.20
v2.1.0.21
v2.1.0.22
v2.1.0.23
v2.1.0.24
v2.1.0.25
v2.1.0.26
v2.1.0.28
v2.1.0.29
v2.1.0.3
v2.1.0.30
v2.1.0.31
v2.1.0.32
v2.1.0.33
v2.1.0.34
v2.1.0.4
v2.1.0.5
v2.1.0.6
v2.1.0.7
v2.1.0.8
v2.1.0.9
v2.2.0
v2.2.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8178.json"