Skip to main content

Amazon Athena Odbc Driver CVE-2026-35561

| EUVDEUVD-2026-18857 CRITICAL
Missing Authorization (CWE-862)
2026-04-03 AMZN
9.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 03, 2026 - 20:45 euvd
EUVD-2026-18857
Analysis Generated
Apr 03, 2026 - 20:45 vuln.today
Patch released
Apr 03, 2026 - 20:45 nvd
Patch available
CVE Published
Apr 03, 2026 - 20:10 nvd
CRITICAL 9.1

DescriptionCVE.org

Insufficient authentication security controls in the browser-based authentication components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to intercept or hijack authentication sessions due to insufficient protections in the browser-based authentication flows.

To remediate this issue, users should upgrade to version 2.1.0.0.

AnalysisAI

Browser-based authentication session hijacking in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows remote unauthenticated attackers to intercept authentication sessions, potentially compromising confidentiality and integrity of database access. The vulnerability stems from insufficient authentication security controls (CWE-862) in browser-based authentication flows. Amazon has released patches for Windows, Linux, and macOS platforms. No active exploitation is confirmed via CISA KEV, though the CVSS score of 7.4 reflects high attack complexity requiring precise timing or conditions to exploit successfully.

Technical ContextAI

This vulnerability affects the Amazon Athena ODBC driver (CPE: cpe:2.3:a:amazon:amazon_athena_odbc_driver), a database connectivity driver that enables ODBC-compliant applications to connect to Amazon Athena for SQL query execution. The flaw resides in the browser-based authentication flow implementation, which is commonly used for OAuth or federated identity workflows where authentication is delegated to a web browser. The root cause is classified as CWE-862 (Missing Authorization), indicating that the authentication components failed to properly validate or protect session tokens during the browser-based authentication handshake. This could manifest as insufficient token binding, lack of state parameter validation in OAuth flows, missing PKCE (Proof Key for Code Exchange) protections, or inadequate session token encryption during inter-process communication between the browser and ODBC driver. The CVSS vector AV:N/AC:H/PR:N indicates network-based exploitation without requiring authentication, though high attack complexity suggests the attacker must overcome non-trivial obstacles such as precise timing windows or specific environmental conditions.

RemediationAI

Organizations should immediately upgrade to Amazon Athena ODBC driver version 2.1.0.0 or later, which contains fixes for the authentication session protection weaknesses. Platform-specific installers are available directly from AWS: Windows users should deploy AmazonAthenaODBC-2.1.0.0.msi from https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi, Linux administrators should install the RPM package from https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm, and macOS users should use the appropriate architecture-specific installer (ARM: https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/arm/AmazonAthenaODBC-2.1.0.0_arm.pkg or Intel: https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.pkg). Until patching is complete, organizations should consider implementing network-level controls to restrict ODBC driver network access, enable enhanced logging for authentication events, and review recent authentication logs for anomalous session patterns. The full release notes are available at https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.html for additional context on the security improvements in version 2.1.0.0.

Share

CVE-2026-35561 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy