Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 pypi packages depend on redshift-connector (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.1.14.
DescriptionCVE.org
Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client.
To remediate this issue, users should upgrade to version 2.1.14.
AnalysisAI
Remote code execution in the amazon-redshift-python-driver (versions prior to 2.1.14) allows a malicious or compromised Redshift server, or a man-in-the-middle attacker positioned on the network path, to execute arbitrary Python code on any client that connects. The root cause is unsafe use of Python's eval() against untrusted server-supplied data inside the vector_in() function. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and PR:N/UI:N vector make this a high-priority client-side supply-chain-style risk.
Technical ContextAI
The driver is the official AWS Python connector (cpe:2.3:a:aws:amazon_redshift_connector_for_python) used by data engineers, ETL pipelines, notebooks, and analytics workloads to communicate with Amazon Redshift clusters over the PostgreSQL wire protocol. The vulnerability is a textbook CWE-94 (Improper Control of Generation of Code, i.e. code injection): the vector_in() type-parsing routine passes server-delivered byte data to Python's built-in eval(), which interprets the input as a Python expression. Because eval() evaluates arbitrary expressions including function calls, any value returned by the server in a column of vector type is sufficient to invoke os.system, subprocess, __import__, or any other callable inside the client's Python process.
RemediationAI
Vendor-released patch: upgrade amazon-redshift-python-driver (redshift_connector) to version 2.1.14 or later via pip install --upgrade redshift_connector, as published at https://github.com/aws/amazon-redshift-python-driver/releases/tag/v2.1.14 and described in https://aws.amazon.com/security/security-bulletins/2026-033-aws/ and https://github.com/aws/amazon-redshift-python-driver/security/advisories/GHSA-29h4-r29x-hchv. Until the upgrade is rolled out, ensure all client connections use TLS with verified certificates (sslmode=verify-full) to eliminate the man-in-the-middle path, restrict the connector to connect only to known AWS-owned Redshift endpoints via VPC endpoints or strict egress allow-listing, and avoid using the driver against arbitrary or third-party PostgreSQL-protocol-compatible servers; these controls do not address a maliciously crafted column response from a trusted-but-compromised cluster, so patching remains the only complete fix.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30803
GHSA-29h4-r29x-hchv