← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-8838 · CWE-94 · Disclosed 2026-05-18

Unsafe use of Python's eval

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a booby-trapped loading dock, not a burglar who can open your front door

In amazon-redshift-python-driver / redshift_connector, versions <= 2.1.13 process certain server-returned values in vector_in() with Python eval(). If the client talks to a malicious Redshift-compatible endpoint, or an attacker can tamper with server responses in transit, that untrusted data can become code execution inside the Python client process. The fix is 2.1.14, published on 2026-05-18 by AWS and GitHub.

The vendor's 9.8 CRITICAL score overstates enterprise reality. The impact is absolutely severe *once the attacker controls the server side of the conversation*, but that prerequisite is the whole story: most shops connect this driver to legitimate Redshift over TLS, usually inside AWS/VPC controls, so this is not an internet-wormable pre-auth server exploit. It's a trust-boundary failure on the client, not a direct compromise path into Redshift itself.

"Real bug, real client-side RCE, but it usually needs a rogue server or a broken trust boundary first."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Gain position on the database trust path

The attacker first needs a way to influence what the client believes is a Redshift/PostgreSQL-speaking server. In practice that means operating a rogue server, hijacking connection settings, poisoning DNS/configuration, or sitting in a man-in-the-middle position despite the environment's transport protections. Weaponized tool: a custom PostgreSQL wire-protocol server or interceptor; AWS's advisory explicitly frames the exploit precondition as a rogue server or MITM.
Conditions required:
  • The target uses redshift_connector version <= 2.1.13
  • The attacker can make the client connect to an attacker-controlled endpoint or can tamper with server responses
  • The connection trust model is weak enough for that redirection/tampering to stick
Where this breaks in practice:
  • AWS requires TLS 1.2+ for Redshift service access, which raises the bar for clean MITM on legitimate sessions
  • Redshift clusters are commonly VPC-restricted and locked down by security groups by default
  • This is a client library issue, so there is no always-on server listener to mass-scan and hit
Detection/coverage: Network scanners will not reliably find this; exposure is package-based, not banner-based. SBOM/SCA, Python package inventory, and image/container dependency scans are the right coverage.
STEP 02

Return crafted query data to the client

Once the attacker controls the server side of the session, they answer a query with specially crafted result data that reaches vector_in(). The vulnerability is not in SQL text parsing; it is in the client's processing of server-supplied result content. Weaponized tool: malicious server response generator over the PostgreSQL frontend/backend protocol.
Conditions required:
  • The application actually executes a query against the attacker-influenced endpoint
  • The returned datatype/path reaches the vulnerable vector_in() parser
Where this breaks in practice:
  • The attacker still needs protocol correctness good enough for the client to stay connected and consume the payload
  • Only code paths that deserialize the affected response format matter
Detection/coverage: App-layer IDS coverage is typically poor here. You are more likely to see unusual outbound DB connections, hostname drift, or failed certificate/connection events than a clean signature for the payload itself.
STEP 03

Trigger eval() inside the Python client

The vulnerable function evaluates attacker-controlled content, converting a database response into arbitrary Python execution in the application's process. At that moment, the attacker's privileges are the same as the Python service account running the connector. Weaponized tool: Python expression payload delivered in the server response.
Conditions required:
  • The vulnerable parser is invoked before process termination or validation rejects the response
  • The application process has useful filesystem, secret, or network permissions
Where this breaks in practice:
  • Least-privilege service accounts and container confinement can reduce blast radius
  • EDR or runtime controls may catch the follow-on child process, file access, or beaconing behavior
Detection/coverage: Strong EDR can catch post-execution behaviors, but not necessarily the eval() itself unless Python telemetry is enabled. Expect prevention to come from dependency hygiene and trust-path hardening, not signature detection.
STEP 04

Pivot from client code exec to data or cloud access

After code execution, the attacker can steal database credentials, IAM-derived temporary credentials, query results, local secrets, or use the workload identity for further AWS/API access. This can be highly damaging on ETL runners, notebooks, schedulers, and analytics services that often hold broad data access. Weaponized tool: standard post-exploitation Python/OS tradecraft.
Conditions required:
  • The compromised client host has reachable secrets, tokens, or privileged network paths
  • The service identity is over-privileged
Where this breaks in practice:
  • Some workloads use narrowly scoped IAM roles or ephemeral containers with minimal local secret material
  • Outbound egress controls and EDR may limit follow-on actions
Detection/coverage: CloudTrail, EDR, and application logs can catch the aftermath: unusual STS usage, unexpected subprocess launches, suspicious file reads, or new outbound destinations.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo authoritative evidence of active exploitation found in the sources reviewed. CISA KEV does not list CVE-2026-8838 as of this assessment.
KEV statusNot listed in CISA's Known Exploited Vulnerabilities catalog; no KEV date applies.
PoC availabilityNo well-known public exploit repo surfaced in primary-source review. The exploit concept is straightforward for anyone able to stand up a PostgreSQL wire-protocol emulator, but I did not verify a public turnkey PoC.
EPSSEPSS score provided in prompt: 0.00076 (~0.076% 30-day exploitation probability). A third-party mirror reports roughly 18th percentile, which is consistent with a niche, low-observed-exploitation path rather than a breakout internet exploit.
CVSS vector reality checkCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H captures impact *after* the attacker controls the server side of the exchange, but it ignores the real-world prerequisite that the target must talk to a rogue server or suffer a defeated trust path.
Affected versionsAWS bulletin says <= 2.1.13; GHSA describes affected versions as 2.1.13 and earlier for pip redshift_connector.
Fixed versionUpgrade to redshift_connector 2.1.14. PyPI shows 2.1.14 released on 2026-05-18.
Exposure populationThis is a client library embedded in Python workloads, not a server product with an internet-facing banner. Shodan/Censys-style exposure counting is largely not applicable; inventory must come from package management, containers, virtualenvs, notebooks, and CI artifacts.
Transport and deployment frictionAWS documents that Redshift clients must support TLS 1.2 and notes clusters are locked down by default with VPC security groups. The driver also documents ssl=True and sslmode values verify-ca / verify-full, which materially raise the bar for MITM on legitimate sessions.
Disclosure / creditDisclosed 2026-05-18 by AWS bulletin 2026-033-AWS; credit given to Kexin Chen and the Institute of Information Engineering, Chinese Academy of Sciences.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (6.4/10)

The decisive friction is that exploitation generally requires the victim client to trust a rogue Redshift/PostgreSQL-speaking endpoint or a successful MITM position first. That makes this a client-side trust-boundary failure with strong preconditions, not a broadly reachable pre-auth server bug despite the ugly code-exec impact.

HIGH Affected/fixed versioning and root-cause characterization
MEDIUM Enterprise severity downgrade based on likely deployment friction
LOW Public PoC/non-PoC state beyond primary-source disclosures

Why this verdict

  • Downward pressure: attacker must own the trust path. The exploit is not 'send a packet to any Redshift server'; it requires a rogue server or MITM. That implies either prior compromise, configuration hijack, DNS/control-plane abuse, or a broken TLS/trust setup.
  • Downward pressure: reachable population is narrow. redshift_connector lives inside Python apps, notebooks, ETL jobs, and services. There is no mass-scannable listener population comparable to an internet-exposed appliance or portal.
  • Downward pressure: modern deployment defaults help. AWS states Redshift requires TLS 1.2+, clusters are locked down by default, and the driver supports sslmode verification. Good VPC and certificate hygiene kills the cleanest attack path.
  • Upward pressure: impact on the client is full code execution. If the prerequisite trust boundary is broken, the attacker gets arbitrary Python execution in a process that often has data access, local secrets, and possibly AWS credentials.
  • Upward pressure: data-platform blast radius can be meaningful. Analytics runners, schedulers, and notebooks frequently hold broad read paths into sensitive datasets, so a single exploited client can still become a high-value foothold.

Why not higher?

I am not scoring this HIGH or CRITICAL because the attack chain starts with a major prerequisite the vendor CVSS does not really price in: the attacker must become the server, or break the network trust path well enough to impersonate it. In a normal enterprise Redshift deployment with TLS, VPC scoping, and stable connection configuration, that sharply limits reachable victims and pushes this out of the 'drop everything' bucket.

Why not lower?

I am not pushing this to LOW because the flaw is genuine arbitrary code execution in the client process, not a theoretical parser crash. Many affected workloads are exactly the kind of Python jobs that carry useful data access, secrets, and cloud credentials, so compromise can still hurt badly if the trust precondition is met.

05 · Compensating Control

What to do — in priority order.

  1. Enforce trusted Redshift endpoints — Restrict outbound database connections from affected workloads so they can only reach known Redshift hostnames/IPs or approved private endpoints. Do this as the primary mitigation within the noisgate mitigation SLA equivalent for a MEDIUM issue: there is no mitigation SLA — go straight to the 365-day remediation window, but high-value analytics tiers should still harden this immediately.
  2. Require certificate validation — Audit connection settings and ensure the driver runs with TLS enabled and strict verification (ssl=True, sslmode=verify-full where operationally possible). This specifically cuts off the MITM branch of the attack chain; for MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window, though this is worth fixing now if you find weak TLS settings.
  3. Hunt for package copies — Inventory redshift_connector across hosts, containers, notebooks, CI images, and embedded virtual environments so you know where <=2.1.13 exists. For MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window, but you cannot remediate what you cannot enumerate.
  4. Constrain workload identity — Reduce IAM role scope, local secret exposure, and filesystem privileges on analytics/ETL workers using this package. That does not remove the bug, but it limits blast radius if a client process is compromised during the remediation window.
What doesn't work
  • A generic WAF does not help; the vulnerable surface is a database client protocol exchange, not HTTP request handling.
  • Perimeter internet scanning does not help much; this is a package inside workloads, not a server banner you can discover and patch from edge telemetry.
  • Focusing only on Redshift server patch status misses the issue; the vulnerable component is the Python connector on the client side.
06 · Verification

Crowdsourced verification payload.

Run this on the target host, container, notebook kernel image, or CI artifact where Python workloads may import redshift_connector. Invoke it with python3 check_redshift_connector_cve_2026_8838.py or python check_redshift_connector_cve_2026_8838.py; no elevated privileges are required unless you need them to access a restricted runtime environment.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3
# check_redshift_connector_cve_2026_8838.py
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

import sys

MIN_SAFE = (2, 1, 14)
PKG_NAMES = ["redshift_connector", "amazon-redshift-python-driver"]


def parse_version(v):
    if not v:
        return None
    out = []
    for part in str(v).split('.'):
        num = ''
        for ch in part:
            if ch.isdigit():
                num += ch
            else:
                break
        if num == '':
            return None
        out.append(int(num))
    while len(out) < 3:
        out.append(0)
    return tuple(out[:3])


def get_installed_version():
    try:
        try:
            from importlib import metadata as importlib_metadata
        except ImportError:
            import importlib_metadata  # type: ignore

        for name in PKG_NAMES:
            try:
                return name, importlib_metadata.version(name)
            except Exception:
                pass
    except Exception:
        pass

    try:
        import redshift_connector  # type: ignore
        v = getattr(redshift_connector, "__version__", None)
        return "redshift_connector", v
    except Exception:
        return None, None


if __name__ == "__main__":
    pkg, version = get_installed_version()

    if not pkg or not version:
        print("UNKNOWN: redshift_connector not found in current Python environment")
        sys.exit(2)

    parsed = parse_version(version)
    if parsed is None:
        print(f"UNKNOWN: found {pkg} version '{version}' but could not parse it")
        sys.exit(2)

    if parsed >= MIN_SAFE:
        print(f"PATCHED: found {pkg} version {version} (>= 2.1.14)")
        sys.exit(0)

    print(f"VULNERABLE: found {pkg} version {version} (< 2.1.14)")
    sys.exit(1)
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: pull an inventory of every Python runtime that imports redshift_connector, especially ETL workers, schedulers, notebooks, and data apps, and move all instances to 2.1.14. Because this is a MEDIUM reassessment, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; the noisgate remediation SLA is therefore ≤ 365 days. That said, if you find weak DB trust controls like permissive outbound access or non-validating TLS, tighten those immediately while you schedule the package upgrade.

Sources

  1. AWS Security Bulletin 2026-033-AWS
  2. GitHub Security Advisory GHSA-29h4-r29x-hchv
  3. NVD CVE-2026-8838
  4. PyPI redshift-connector release history
  5. amazon-redshift-python-driver README / connection parameters
  6. AWS Redshift infrastructure security
  7. CISA Known Exploited Vulnerabilities Catalog
  8. EPSS mirror for CVE-2026-8838 percentile view
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.