Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Improper neutralization of special elements in the authentication components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to execute arbitrary code or redirect authentication flows by using specially crafted connection parameters that are processed by the driver during user-initiated authentication.
To remediate this issue, users should upgrade to version 2.1.0.0.
AnalysisAI
Command injection in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows local attackers to execute arbitrary code or hijack authentication flows through malicious connection parameters during user-initiated database connections. With a CVSS 7.3 rating, the vulnerability requires user interaction but no authentication (CVSS:4.0 AV:L/PR:N/UI:P), enabling high impact to confidentiality, integrity, and availability on the local system. Vendor-released patches are available across all platforms (Windows, Linux, macOS). No public exploit or active exploitation confirmed at time of analysis, though EPSS data not available for risk calibration.
Technical ContextAI
This vulnerability affects the authentication components of Amazon Athena ODBC driver, a database connectivity interface allowing applications to query Amazon Athena using the Open Database Connectivity standard. The root cause is CWE-77 (Improper Neutralization of Special Elements used in a Command), commonly known as command injection. The driver fails to properly sanitize connection parameters supplied during authentication setup, allowing specially crafted input strings to be interpreted as executable commands rather than data. ODBC drivers typically parse Data Source Name (DSN) strings and connection attributes that can include server addresses, authentication credentials, and driver-specific parameters-any of which could serve as injection vectors if not properly validated. The affected product is identified by CPE cpe:2.3:a:amazon:amazon_athena_odbc_driver:*:*:*:*:*:*:*:* covering all versions before 2.1.0.0 across Windows, Linux, and macOS platforms.
RemediationAI
Upgrade immediately to Amazon Athena ODBC driver version 2.1.0.0, which contains fixes for the command injection vulnerability. Platform-specific installation packages are available directly from AWS: Windows users should install AmazonAthenaODBC-2.1.0.0.msi from https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi; Linux administrators should deploy the RPM from https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm; macOS ARM systems require https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/arm/AmazonAthenaODBC-2.1.0.0_arm.pkg while Intel Macs need https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.pkg. Until patching is complete, organizations should restrict connection string sources to trusted administrative channels, avoid accepting DSN configurations from untrusted users or files, and implement application-layer validation of connection parameters. Review audit logs for suspicious authentication attempts or unusual connection patterns that might indicate exploitation attempts. No effective workaround exists that maintains full functionality while eliminating risk.
More in Amazon Athena Odbc Driver
View allBrowser-based authentication session hijacking in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows remote unau
Man-in-the-middle attacks can intercept authentication credentials in Amazon Athena ODBC driver versions prior to 2.1.0.
Resource exhaustion in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows unauthenticated remote attackers to tr
Local code execution via command injection in Amazon Athena ODBC driver for Linux (pre-2.0.5.1) allows unauthenticated l
Out-of-bounds write vulnerability in Amazon Athena ODBC driver (pre-2.1.0.0) allows remote attackers to crash the driver
Same weakness CWE-77 – Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18851