CVE-2026-8178
HIGHRemote Code Execution via Unsafe Class Loading in Amazon Redshift JDBC Driver
Title source: cnaDescription
An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application's classpath. To mitigate this issue, users should upgrade to version 2.2.2 or later.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
https://aws.amazon.com/security/security-bulletins/2026-028-aws/
Third Party Advisory third-party-advisory
https://github.com/aws/amazon-redshift-jdbc-driver/security/advisories/GHSA-wmmv-vvg5-993q
Scores
CVSS v3
8.1
EPSS
0.0003
EPSS Percentile
8.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-470
Status
published
Products (2)
Amazon/Amazon Redshift JDBC Driver
2.2.2
com.amazon.redshift/redshift-jdbc42
0 - 2.2.2Maven
Published
May 08, 2026
Tracked Since
May 09, 2026