Skip to main content

Amazon Redshift JDBC Driver EUVDEUVD-2026-28814

| CVE-2026-8178 CRITICAL
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE-470)
2026-05-08 AMZN GHSA-wmmv-vvg5-993q
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Source Code Evidence Fetched
May 08, 2026 - 19:30 vuln.today
Analysis Generated
May 08, 2026 - 19:30 vuln.today
Severity Changed
May 08, 2026 - 19:22 NVD
HIGH CRITICAL
CVSS changed
May 08, 2026 - 19:22 NVD
8.1 (HIGH) 9.2 (CRITICAL)
CVE Published
May 08, 2026 - 18:36 nvd
CRITICAL 9.2

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 9 maven packages depend on com.amazon.redshift:redshift-jdbc42 (5 direct, 4 indirect)

Ecosystem-wide dependent count for version 2.2.2.

DescriptionCVE.org

An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application's classpath.

To mitigate this issue, users should upgrade to version 2.2.2 or later.

AnalysisAI

Remote code execution in Amazon Redshift JDBC Driver versions prior to 2.2.2 allows unauthenticated network attackers to execute arbitrary code by manipulating JDBC connection URL parameters under high-complexity conditions. The driver can be exploited to load and execute arbitrary classes from the application's classpath when specific connection URL parameters are controlled by an attacker. AWS released patch version 2.2.2 with GHSA advisory GHSA-wmmv-vvg5-993q. CVSS 9.2 (Critical) reflects high impact across confidentiality, integrity, and availability, though attack complexity is high and attack vector prerequisites are present.

Technical ContextAI

This vulnerability (CWE-470: Use of Externally-Controlled Input to Select Classes or Code) affects the Amazon Redshift JDBC Driver, a Java Database Connectivity implementation for connecting applications to AWS Redshift data warehouses. JDBC drivers parse connection URLs containing parameters that control driver behavior. The flaw allows unsafe deserialization or class loading when processing attacker-controlled URL parameters. If malicious parameters reference classes present on the application's classpath (such as gadget chains common in Java environments), the driver instantiates and executes them. This is a classic insecure deserialization/unsafe reflection pattern in Java applications, similar to historical vulnerabilities in other JDBC drivers (PostgreSQL, MySQL) where connection properties trigger code execution. The CPE identifies all versions of amazon:amazon_redshift_jdbc_driver prior to 2.2.2 as affected.

RemediationAI

Upgrade Amazon Redshift JDBC Driver to version 2.2.2 or later immediately. Update Maven/Gradle dependencies to com.amazon.redshift:redshift-jdbc42:2.2.2 (JDBC 4.2) or equivalent for your Java version. Download direct JAR from https://github.com/aws/amazon-redshift-jdbc-driver/releases/tag/v2.2.2 if not using dependency management. If immediate upgrade is not feasible, implement these compensating controls: (1) Validate and sanitize all JDBC connection URL parameters before passing to the driver, specifically rejecting URLs containing unexpected properties or class references, (2) Use allowlist-based validation accepting only known-safe connection parameters (host, port, database, standard auth properties), (3) Avoid constructing JDBC URLs from user-supplied input or external configuration sources, (4) If dynamic URL construction is required, implement strict input validation and consider running the application with a restricted classpath to limit available gadget classes, reducing exploitation impact. Note that classpath restriction may break legitimate application functionality if required libraries are removed. Full mitigation requires patching; workarounds only reduce attack surface. Review AWS security bulletin https://aws.amazon.com/security/security-bulletins/2026-028-aws/ for additional vendor guidance.

Share

EUVD-2026-28814 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy