GHSA-WMMV-VVG5-993Q
Vulnerability from github – Published: 2026-05-14 13:09 – Updated: 2026-05-14 13:09Summary
Amazon Redshift JDBC Driver is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs). An issue exists in versions prior to 2.2.2 where the driver could load arbitrary classes when processing certain connection URL parameters, potentially allowing code execution in the application context.
Impact
When a JDBC connection URL contains certain parameters, the driver processes the parameter values in a way that could trigger the execution of code from classes available on the application's classpath. An actor who can influence the JDBC connection URL could leverage this to execute code in the context of the application's JVM process. Successful exploitation could allow the actor to read sensitive data, modify application state, or disrupt service availability with the privileges of the application process.
Impacted versions: Amazon Redshift JDBC Driver < 2.2.2
Patches
This issue has been addressed in Amazon Redshift JDBC Driver version 2.2.2. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
References
If you have any questions or comments about this advisory, we ask that you contact AWS Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
Acknowledgement
We would like to thank Fushuling for collaborating on this issue through the coordinated issue disclosure process.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.amazon.redshift:redshift-jdbc42"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-8178"
],
"database_specific": {
"cwe_ids": [
"CWE-470"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T13:09:52Z",
"nvd_published_at": "2026-05-08T19:16:31Z",
"severity": "CRITICAL"
},
"details": "### Summary\nAmazon Redshift JDBC Driver is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs). An issue exists in versions prior to 2.2.2 where the driver could load arbitrary classes when processing certain connection URL parameters, potentially allowing code execution in the application context.\n\n### Impact\nWhen a JDBC connection URL contains certain parameters, the driver processes the parameter values in a way that could trigger the execution of code from classes available on the application\u0027s classpath. An actor who can influence the JDBC connection URL could leverage this to execute code in the context of the application\u0027s JVM process. Successful exploitation could allow the actor to read sensitive data, modify application state, or disrupt service availability with the privileges of the application process.\n\nImpacted versions: Amazon Redshift JDBC Driver \u003c 2.2.2\n\n### Patches\nThis issue has been addressed in Amazon Redshift JDBC Driver version [2.2.2](https://github.com/aws/amazon-redshift-jdbc-driver/releases/tag/v2.2.2). We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.\n\n### References\nIf you have any questions or comments about this advisory, we ask that you contact AWS Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n### Acknowledgement\nWe would like to thank [Fushuling](https://github.com/Fushuling) for collaborating on this issue through the coordinated issue disclosure process.",
"id": "GHSA-wmmv-vvg5-993q",
"modified": "2026-05-14T13:09:52Z",
"published": "2026-05-14T13:09:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aws/amazon-redshift-jdbc-driver/security/advisories/GHSA-wmmv-vvg5-993q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8178"
},
{
"type": "WEB",
"url": "https://aws.amazon.com/security/security-bulletins/2026-028-aws"
},
{
"type": "PACKAGE",
"url": "https://github.com/aws/amazon-redshift-jdbc-driver"
},
{
"type": "WEB",
"url": "https://github.com/aws/amazon-redshift-jdbc-driver/releases/tag/v2.2.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Amazon Redshift Vulnerable to Remote Code Execution via Unsafe Class Loading"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.