Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to identity providers. This only applies to connections with external identity providers and does not apply to connections with Athena.
To remediate this issue, users should upgrade to version 2.1.0.0.
AnalysisAI
Man-in-the-middle attacks can intercept authentication credentials in Amazon Athena ODBC driver versions prior to 2.1.0.0 when connecting to external identity providers due to improper certificate validation (CWE-295). This network-accessible vulnerability (CVSS 7.4) affects deployments using federated authentication with external IdPs, allowing attackers positioned on the network path to capture credentials during the authentication handshake. Amazon has released patched versions 2.1.0.0 across all platforms (Windows, Linux, macOS). No public exploit identified at time of analysis, though the attack complexity is rated high and requires network positioning.
Technical ContextAI
The vulnerability resides in the identity provider connection components of the Amazon Athena ODBC driver, which implements database connectivity for AWS Athena query service. The root cause is CWE-295 (Improper Certificate Validation), indicating the driver failed to properly validate TLS/SSL certificates when establishing secure connections to external identity providers during federated authentication flows (such as SAML, OAuth, or OpenID Connect). This certificate validation weakness creates an exploitable window during the authentication handshake where an attacker with network interception capabilities can present fraudulent certificates without detection. The vulnerability is specific to external IdP authentication paths and does not affect direct Athena connections, suggesting the issue lies in the SAML/OAuth client implementation rather than the core database protocol layer. The CVSS vector AV:N indicates network-based exploitation, while AC:H (high complexity) suggests successful attacks require precise network positioning or additional prerequisites beyond simple remote access.
RemediationAI
Immediately upgrade all Amazon Athena ODBC driver installations to version 2.1.0.0, which implements proper certificate validation for external identity provider connections. Platform-specific patched installers are available directly from AWS: Windows users should deploy AmazonAthenaODBC-2.1.0.0.msi from https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi, Linux environments should install AmazonAthenaODBC-2.1.0.0.rpm from https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm, macOS ARM systems require AmazonAthenaODBC-2.1.0.0_arm.pkg, and macOS Intel systems need AmazonAthenaODBC-2.1.0.0_x86.pkg. Consult AWS Security Bulletin 2026-013 at https://aws.amazon.com/security/security-bulletins/2026-013-aws/ for complete remediation guidance and any additional configuration requirements. Until patching is complete, consider implementing compensating controls such as restricting ODBC driver usage to trusted network segments, enforcing VPN requirements for all Athena connections, or temporarily using direct Athena authentication methods instead of external IdP federation where operationally feasible.
More in Amazon Athena Odbc Driver
View allBrowser-based authentication session hijacking in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows remote unau
Resource exhaustion in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows unauthenticated remote attackers to tr
Command injection in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows local attackers to execute arbitrary cod
Local code execution via command injection in Amazon Athena ODBC driver for Linux (pre-2.0.5.1) allows unauthenticated l
Out-of-bounds write vulnerability in Amazon Athena ODBC driver (pre-2.1.0.0) allows remote attackers to crash the driver
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18855