Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
OS command injection in the browser-based authentication component in Amazon Athena ODBC driver before 2.0.5.1 on Linux might allow a threat actor to execute arbitrary code by using specially crafted connection parameters that are loaded by the driver during a local user-initiated connection.
To remediate this issue, users should upgrade to version 2.0.5.1 or later.
AnalysisAI
Local code execution via command injection in Amazon Athena ODBC driver for Linux (pre-2.0.5.1) allows unauthenticated local attackers to execute arbitrary commands by crafting malicious connection parameters processed during user-initiated database connections. Vendor-released patches available across all platforms (version 2.1.0.0). No active exploitation confirmed (not in CISA KEV); CVSS 7.3 reflects high impact but requires local access and user interaction, limiting remote attack surface.
Technical ContextAI
This vulnerability affects the browser-based authentication component of the Amazon Athena ODBC driver, which provides connectivity to AWS Athena query services. The flaw is classified as CWE-78 (OS Command Injection), occurring when the driver processes connection parameters during authentication setup. ODBC drivers typically parse Data Source Name (DSN) strings and connection attributes to establish database sessions; insufficient input validation in the browser authentication flow allows shell metacharacters or command sequences in these parameters to be interpreted by the underlying operating system. The Linux-specific nature suggests the vulnerable code path involves platform-dependent system calls or shell invocation during OAuth/browser-based SSO workflows. The CPE identifier cpe:2.3:a:amazon:amazon_athena_odbc_driver confirms all versions prior to the patched release are vulnerable, with primary impact on Linux deployments though patches were issued for Windows and macOS as well.
RemediationAI
Upgrade immediately to Amazon Athena ODBC driver version 2.1.0.0 or later, which supersedes the minimum patched version 2.0.5.1 referenced in the vulnerability disclosure. AWS provides platform-specific installation packages: Linux users should deploy AmazonAthenaODBC-2.1.0.0.rpm from https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm; Windows environments should install AmazonAthenaODBC-2.1.0.0.msi; macOS ARM systems require AmazonAthenaODBC-2.1.0.0_arm.pkg and Intel-based Macs need AmazonAthenaODBC-2.1.0.0_x86.pkg. No workarounds are documented in vendor advisories. As interim risk reduction, restrict connection string configuration to trusted administrative sources, implement input validation on any externally-sourced DSN parameters, and audit existing ODBC data source configurations for anomalous command characters. Consult the comprehensive security bulletin at https://aws.amazon.com/security/security-bulletins/2026-013-aws/ for additional deployment guidance and verification procedures.
More in Amazon Athena Odbc Driver
View allBrowser-based authentication session hijacking in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows remote unau
Man-in-the-middle attacks can intercept authentication credentials in Amazon Athena ODBC driver versions prior to 2.1.0.
Resource exhaustion in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows unauthenticated remote attackers to tr
Command injection in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows local attackers to execute arbitrary cod
Out-of-bounds write vulnerability in Amazon Athena ODBC driver (pre-2.1.0.0) allows remote attackers to crash the driver
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18861
GHSA-hc25-p37h-5hmf