CVE-2026-35560

HIGH

Improper certificate validation in identity provider connection components in Amazon Athena ODBC driver

Title source: cna

Description

Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to identity providers. This only applies to connections with external identity providers and does not apply to connections with Athena. To remediate this issue, users should upgrade to version 2.1.0.0.

References (6)

[Patch] https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi

[Patch] https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm

[Patch] https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/arm/AmazonAthenaODBC-2.1.0.0_arm.pkg

[Patch] https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.pkg

[Vendor Advisory] https://aws.amazon.com/security/security-bulletins/2026-013-aws/

[Release Notes] https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.html

Scores

CVSS v3 7.4

EPSS 0.0001

EPSS Percentile 2.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-295

Status published

Products (2)

Amazon/Amazon Athena ODBC driver 2.1.0.0

amazon/athena_odbc < 2.1.0.0

Published Apr 03, 2026

Tracked Since Apr 04, 2026