Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Insufficient authentication security controls in the browser-based authentication components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to intercept or hijack authentication sessions due to insufficient protections in the browser-based authentication flows.
To remediate this issue, users should upgrade to version 2.1.0.0.
AnalysisAI
Browser-based authentication session hijacking in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows remote unauthenticated attackers to intercept authentication sessions, potentially compromising confidentiality and integrity of database access. The vulnerability stems from insufficient authentication security controls (CWE-862) in browser-based authentication flows. Amazon has released patches for Windows, Linux, and macOS platforms. No active exploitation is confirmed via CISA KEV, though the CVSS score of 7.4 reflects high attack complexity requiring precise timing or conditions to exploit successfully.
Technical ContextAI
This vulnerability affects the Amazon Athena ODBC driver (CPE: cpe:2.3:a:amazon:amazon_athena_odbc_driver), a database connectivity driver that enables ODBC-compliant applications to connect to Amazon Athena for SQL query execution. The flaw resides in the browser-based authentication flow implementation, which is commonly used for OAuth or federated identity workflows where authentication is delegated to a web browser. The root cause is classified as CWE-862 (Missing Authorization), indicating that the authentication components failed to properly validate or protect session tokens during the browser-based authentication handshake. This could manifest as insufficient token binding, lack of state parameter validation in OAuth flows, missing PKCE (Proof Key for Code Exchange) protections, or inadequate session token encryption during inter-process communication between the browser and ODBC driver. The CVSS vector AV:N/AC:H/PR:N indicates network-based exploitation without requiring authentication, though high attack complexity suggests the attacker must overcome non-trivial obstacles such as precise timing windows or specific environmental conditions.
RemediationAI
Organizations should immediately upgrade to Amazon Athena ODBC driver version 2.1.0.0 or later, which contains fixes for the authentication session protection weaknesses. Platform-specific installers are available directly from AWS: Windows users should deploy AmazonAthenaODBC-2.1.0.0.msi from https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi, Linux administrators should install the RPM package from https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm, and macOS users should use the appropriate architecture-specific installer (ARM: https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/arm/AmazonAthenaODBC-2.1.0.0_arm.pkg or Intel: https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.pkg). Until patching is complete, organizations should consider implementing network-level controls to restrict ODBC driver network access, enable enhanced logging for authentication events, and review recent authentication logs for anomalous session patterns. The full release notes are available at https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.html for additional context on the security improvements in version 2.1.0.0.
More in Amazon Athena Odbc Driver
View allMan-in-the-middle attacks can intercept authentication credentials in Amazon Athena ODBC driver versions prior to 2.1.0.
Resource exhaustion in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows unauthenticated remote attackers to tr
Command injection in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows local attackers to execute arbitrary cod
Local code execution via command injection in Amazon Athena ODBC driver for Linux (pre-2.0.5.1) allows unauthenticated l
Out-of-bounds write vulnerability in Amazon Athena ODBC driver (pre-2.1.0.0) allows remote attackers to crash the driver
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18857