CVE-2026-8178

Summary

Amazon Redshift JDBC Driver is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs). An issue exists in versions prior to 2.2.2 where the driver could load arbitrary classes when processing certain connection URL parameters, potentially allowing code execution in the application context.

Impact

When a JDBC connection URL contains certain parameters, the driver processes the parameter values in a way that could trigger the execution of code from classes available on the application's classpath. An actor who can influence the JDBC connection URL could leverage this to execute code in the context of the application's JVM process. Successful exploitation could allow the actor to read sensitive data, modify application state, or disrupt service availability with the privileges of the application process.

Impacted versions: Amazon Redshift JDBC Driver < 2.2.2

Patches

This issue has been addressed in Amazon Redshift JDBC Driver version 2.2.2. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

References

If you have any questions or comments about this advisory, we ask that you contact AWS Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Acknowledgement

We would like to thank Fushuling for collaborating on this issue through the coordinated issue disclosure process.