Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5Blast Radius
ecosystem impact- 9 maven packages depend on com.amazon.redshift:redshift-jdbc42 (5 direct, 4 indirect)
Ecosystem-wide dependent count for version 2.2.2.
DescriptionCVE.org
An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application's classpath.
To mitigate this issue, users should upgrade to version 2.2.2 or later.
AnalysisAI
Remote code execution in Amazon Redshift JDBC Driver versions prior to 2.2.2 allows unauthenticated network attackers to execute arbitrary code by manipulating JDBC connection URL parameters under high-complexity conditions. The driver can be exploited to load and execute arbitrary classes from the application's classpath when specific connection URL parameters are controlled by an attacker. AWS released patch version 2.2.2 with GHSA advisory GHSA-wmmv-vvg5-993q. CVSS 9.2 (Critical) reflects high impact across confidentiality, integrity, and availability, though attack complexity is high and attack vector prerequisites are present.
Technical ContextAI
This vulnerability (CWE-470: Use of Externally-Controlled Input to Select Classes or Code) affects the Amazon Redshift JDBC Driver, a Java Database Connectivity implementation for connecting applications to AWS Redshift data warehouses. JDBC drivers parse connection URLs containing parameters that control driver behavior. The flaw allows unsafe deserialization or class loading when processing attacker-controlled URL parameters. If malicious parameters reference classes present on the application's classpath (such as gadget chains common in Java environments), the driver instantiates and executes them. This is a classic insecure deserialization/unsafe reflection pattern in Java applications, similar to historical vulnerabilities in other JDBC drivers (PostgreSQL, MySQL) where connection properties trigger code execution. The CPE identifies all versions of amazon:amazon_redshift_jdbc_driver prior to 2.2.2 as affected.
RemediationAI
Upgrade Amazon Redshift JDBC Driver to version 2.2.2 or later immediately. Update Maven/Gradle dependencies to com.amazon.redshift:redshift-jdbc42:2.2.2 (JDBC 4.2) or equivalent for your Java version. Download direct JAR from https://github.com/aws/amazon-redshift-jdbc-driver/releases/tag/v2.2.2 if not using dependency management. If immediate upgrade is not feasible, implement these compensating controls: (1) Validate and sanitize all JDBC connection URL parameters before passing to the driver, specifically rejecting URLs containing unexpected properties or class references, (2) Use allowlist-based validation accepting only known-safe connection parameters (host, port, database, standard auth properties), (3) Avoid constructing JDBC URLs from user-supplied input or external configuration sources, (4) If dynamic URL construction is required, implement strict input validation and consider running the application with a restricted classpath to limit available gadget classes, reducing exploitation impact. Note that classpath restriction may break legitimate application functionality if required libraries are removed. Full mitigation requires patching; workarounds only reduce attack surface. Review AWS security bulletin https://aws.amazon.com/security/security-bulletins/2026-028-aws/ for additional vendor guidance.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28814
GHSA-wmmv-vvg5-993q