Cyber Resilience

CVE-2026-8178

Critical

Published: 08 May 2026

Published
08 May 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0057 43.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-8178 is a critical-severity Unsafe Reflection (CWE-470) vulnerability in Amazon Redshift JDBC Driver (inferred from references). Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 43.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute…

more

code in the application context, provided a suitable class is available on the application's classpath. To mitigate this issue, users should upgrade to version 2.2.2 or later.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Unsafe reflection via attacker-controlled JDBC URL enables arbitrary class loading/execution in client application context (CWE-470).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-4990Shared CWE-470
CVE-2026-41175Shared CWE-470
CVE-2025-53693Shared CWE-470
CVE-2026-33157Shared CWE-470
CVE-2026-32264Shared CWE-470
CVE-2026-44339Shared CWE-470
CVE-2025-34393Shared CWE-470
CVE-2026-25498Shared CWE-470
CVE-2025-63690Shared CWE-470
CVE-2025-68455Shared CWE-470

Affected Assets

Amazon
Redshift JDBC Driver
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-470

Externally controlled class or code selection can be resolved and invoked inside the chamber, surfacing unsafe reflection without system impact.

References