Description
Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to identity providers. This only applies to connections with external identity providers and does not apply to connections with Athena.

To remediate this issue, users should upgrade to version 2.1.0.0.
Published: 2026-04-03
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Man‑in‑the‑middle credential interception
Action: Immediate Patch
AI Analysis

Impact

An improper certificate validation flaw exists in the identity provider connection components of the Amazon Athena ODBC driver, allowing a man‑in‑the‑middle attacker to intercept authentication credentials when the driver connects to external identity providers. The vulnerability is characterized by insufficient default transport security and is classified as a certificate validation error (CWE‑295). It does not affect connections directly to Amazon Athena itself, only to third‑party identity systems.

Affected Systems

The flaw affects versions of the Amazon Athena ODBC driver released before 2.1.0.0, including builds for Linux, macOS (Intel and Apple Silicon), and Windows platforms. The affected driver maintains connections to external identity providers and is deployed in environments where Athena clients rely on external authentication.

Risk and Exploitability

The CVSS score of 9.1 highlights a high severity, while the EPSS score below 1% indicates a low probability of exploitation at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no publicly known active exploit, yet the attack vector is remote and could be realized by compromising network traffic between client and the identity provider. The impact includes possible disclosure of credentials and further unauthorized access to Athena resources.

Generated by OpenCVE AI on April 14, 2026 at 18:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Amazon Athena ODBC driver to version 2.1.0.0 or newer to eliminate the certificate validation flaw.
  • Confirm that connections to external identity providers enforce proper TLS certificate validation, ensuring that the server’s certificate chain is verified against trusted roots.
  • If an immediate driver upgrade is not feasible, enforce certificate validation at the application or network level—e.g., by configuring client tools to reject untrusted certificates or by using a firewall that blocks traffic without valid TLS handshakes.
  • Continuously monitor logs for abnormal authentication traffic and be prepared to apply the latest driver update as soon as it becomes available.

Generated by OpenCVE AI on April 14, 2026 at 18:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Amazon athena Odbc
Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
CPEs cpe:2.3:a:amazon:athena_odbc:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Amazon athena Odbc
Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Amazon
Amazon amazon Athena Odbc Driver
Vendors & Products Amazon
Amazon amazon Athena Odbc Driver

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Description Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to identity providers. This only applies to connections with external identity providers and does not apply to connections with Athena. To remediate this issue, users should upgrade to version 2.1.0.0.
Title Improper certificate validation in identity provider connection components in Amazon Athena ODBC driver
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Amazon Amazon Athena Odbc Driver Athena Odbc
Apple Macos
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-04-07T13:09:13.079Z

Reserved: 2026-04-03T13:43:36.914Z

Link: CVE-2026-35560

cve-icon Vulnrichment

Updated: 2026-04-06T15:20:12.086Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T21:17:12.073

Modified: 2026-04-14T16:14:15.240

Link: CVE-2026-35560

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses