Skip to main content

Amazon Athena Odbc Driver CVE-2026-5485

| EUVDEUVD-2026-18861 HIGH
OS Command Injection (CWE-78)
2026-04-03 AMZN GHSA-hc25-p37h-5hmf
7.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 03, 2026 - 20:45 euvd
EUVD-2026-18861
Analysis Generated
Apr 03, 2026 - 20:45 vuln.today
Patch released
Apr 03, 2026 - 20:45 nvd
Patch available
CVE Published
Apr 03, 2026 - 20:13 nvd
HIGH 7.3

DescriptionCVE.org

OS command injection in the browser-based authentication component in Amazon Athena ODBC driver before 2.0.5.1 on Linux might allow a threat actor to execute arbitrary code by using specially crafted connection parameters that are loaded by the driver during a local user-initiated connection.

To remediate this issue, users should upgrade to version 2.0.5.1 or later.

AnalysisAI

Local code execution via command injection in Amazon Athena ODBC driver for Linux (pre-2.0.5.1) allows unauthenticated local attackers to execute arbitrary commands by crafting malicious connection parameters processed during user-initiated database connections. Vendor-released patches available across all platforms (version 2.1.0.0). No active exploitation confirmed (not in CISA KEV); CVSS 7.3 reflects high impact but requires local access and user interaction, limiting remote attack surface.

Technical ContextAI

This vulnerability affects the browser-based authentication component of the Amazon Athena ODBC driver, which provides connectivity to AWS Athena query services. The flaw is classified as CWE-78 (OS Command Injection), occurring when the driver processes connection parameters during authentication setup. ODBC drivers typically parse Data Source Name (DSN) strings and connection attributes to establish database sessions; insufficient input validation in the browser authentication flow allows shell metacharacters or command sequences in these parameters to be interpreted by the underlying operating system. The Linux-specific nature suggests the vulnerable code path involves platform-dependent system calls or shell invocation during OAuth/browser-based SSO workflows. The CPE identifier cpe:2.3:a:amazon:amazon_athena_odbc_driver confirms all versions prior to the patched release are vulnerable, with primary impact on Linux deployments though patches were issued for Windows and macOS as well.

RemediationAI

Upgrade immediately to Amazon Athena ODBC driver version 2.1.0.0 or later, which supersedes the minimum patched version 2.0.5.1 referenced in the vulnerability disclosure. AWS provides platform-specific installation packages: Linux users should deploy AmazonAthenaODBC-2.1.0.0.rpm from https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm; Windows environments should install AmazonAthenaODBC-2.1.0.0.msi; macOS ARM systems require AmazonAthenaODBC-2.1.0.0_arm.pkg and Intel-based Macs need AmazonAthenaODBC-2.1.0.0_x86.pkg. No workarounds are documented in vendor advisories. As interim risk reduction, restrict connection string configuration to trusted administrative sources, implement input validation on any externally-sourced DSN parameters, and audit existing ODBC data source configurations for anomalous command characters. Consult the comprehensive security bulletin at https://aws.amazon.com/security/security-bulletins/2026-013-aws/ for additional deployment guidance and verification procedures.

Share

CVE-2026-5485 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy