Bulletin ID: 2026-033-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 05/18/2026 13:15 PM PDT
 

Description:

amazon-redshift-python-driver is the official Python connector for Amazon Redshift. We identified a code injection issue in versions 2.1.13 and earlier that could allow a rogue server or man-in-the-middle to execute arbitrary code on the client.

Impacted versions: <=2.1.13

Resolution:

This issue has been addressed in amazon-redshift-python-driver version 2.1.14. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

References:

• redshift-connector 2.1.14
• CVE-2026-8838
• GHSA-29h4-r29x-hchv

Acknowledgement:

We would like to thank Kexin Chen and the Institute of Information Engineering, Chinese Academy of Sciences for collaborating through the coordinated disclosure process.

Please email aws-security@amazon.com with any security questions or concerns.