CVE-2026-35560
HIGHImproper certificate validation in identity provider connection components in Amazon Athena ODBC driver
Title source: cnaDescription
Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to identity providers. This only applies to connections with external identity providers and does not apply to connections with Athena. To remediate this issue, users should upgrade to version 2.1.0.0.
References (6)
Core 6
Core References
Patch patch
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi
Patch patch
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm
Vendor Advisory vendor-advisory
https://aws.amazon.com/security/security-bulletins/2026-013-aws/
Release Notes release-notes
https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.html
Scores
CVSS v3
7.4
EPSS
0.0026
EPSS Percentile
17.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-295
Status
published
Products (2)
Amazon/Amazon Athena ODBC driver
2.1.0.0
amazon/athena_odbc
< 2.1.0.0
Published
Apr 03, 2026
Tracked Since
Apr 04, 2026