Skip to main content

Amazon Athena Odbc Driver CVE-2026-35560

| EUVDEUVD-2026-18855 CRITICAL
Improper Certificate Validation (CWE-295)
2026-04-03 AMZN
9.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 03, 2026 - 20:45 euvd
EUVD-2026-18855
Analysis Generated
Apr 03, 2026 - 20:45 vuln.today
Patch released
Apr 03, 2026 - 20:45 nvd
Patch available
CVE Published
Apr 03, 2026 - 20:10 nvd
CRITICAL 9.1

DescriptionCVE.org

Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to identity providers. This only applies to connections with external identity providers and does not apply to connections with Athena.

To remediate this issue, users should upgrade to version 2.1.0.0.

AnalysisAI

Man-in-the-middle attacks can intercept authentication credentials in Amazon Athena ODBC driver versions prior to 2.1.0.0 when connecting to external identity providers due to improper certificate validation (CWE-295). This network-accessible vulnerability (CVSS 7.4) affects deployments using federated authentication with external IdPs, allowing attackers positioned on the network path to capture credentials during the authentication handshake. Amazon has released patched versions 2.1.0.0 across all platforms (Windows, Linux, macOS). No public exploit identified at time of analysis, though the attack complexity is rated high and requires network positioning.

Technical ContextAI

The vulnerability resides in the identity provider connection components of the Amazon Athena ODBC driver, which implements database connectivity for AWS Athena query service. The root cause is CWE-295 (Improper Certificate Validation), indicating the driver failed to properly validate TLS/SSL certificates when establishing secure connections to external identity providers during federated authentication flows (such as SAML, OAuth, or OpenID Connect). This certificate validation weakness creates an exploitable window during the authentication handshake where an attacker with network interception capabilities can present fraudulent certificates without detection. The vulnerability is specific to external IdP authentication paths and does not affect direct Athena connections, suggesting the issue lies in the SAML/OAuth client implementation rather than the core database protocol layer. The CVSS vector AV:N indicates network-based exploitation, while AC:H (high complexity) suggests successful attacks require precise network positioning or additional prerequisites beyond simple remote access.

RemediationAI

Immediately upgrade all Amazon Athena ODBC driver installations to version 2.1.0.0, which implements proper certificate validation for external identity provider connections. Platform-specific patched installers are available directly from AWS: Windows users should deploy AmazonAthenaODBC-2.1.0.0.msi from https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi, Linux environments should install AmazonAthenaODBC-2.1.0.0.rpm from https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm, macOS ARM systems require AmazonAthenaODBC-2.1.0.0_arm.pkg, and macOS Intel systems need AmazonAthenaODBC-2.1.0.0_x86.pkg. Consult AWS Security Bulletin 2026-013 at https://aws.amazon.com/security/security-bulletins/2026-013-aws/ for complete remediation guidance and any additional configuration requirements. Until patching is complete, consider implementing compensating controls such as restricting ODBC driver usage to trusted network segments, enforcing VPN requirements for all Athena connections, or temporarily using direct Athena authentication methods instead of external IdP federation where operationally feasible.

Share

CVE-2026-35560 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy