CVE-2026-8838 does not yet appear in the GitHub Advisory Database

[stew-larsen]

CVE-2026-8838 does not yet appear in the GitHub Advisory Database. The
query https://github.com/advisories?query=CVE-2026-8838 returns no
results as of 2026-05-25, seven days after AWS published the bulletin.

Details:

• CVE: CVE-2026-8838
• Vulnerability: Remote Code Execution in the Amazon Redshift Python
  driver (amazon-redshift-python-driver), distributed on PyPI as
  redshift-connector.
• Ecosystem: pip (PyPI)
• Package: redshift-connector
• Affected versions: <= 2.1.13
• Patched version: 2.1.14
• Upstream repository: https://github.com/aws/amazon-redshift-python-driver
• Vendor advisory: AWS Security Bulletin AWS-2026-033, published
  2026-05-18 — https://aws.amazon.com/security/security-bulletins/rss/2026-033-aws/

Impact / why this matters: redshift-connector is a transitive
dependency of apache-airflow-providers-amazon, so a large number of
Airflow deployments are exposed. Without a GHSA entry, Dependabot does
not flag affected installations, which is blocking downstream
remediation tracking.

Could this CVE be ingested and a GHSA assigned? Happy to provide any
additional context.

Thanks!