CVE-2026-35561 - Vulnerability Details

- Insufficient authentication security controls in browser-based authentication components in Amazon Athena ODBC driver

Description

Insufficient authentication security controls in the browser-based authentication components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to intercept or hijack authentication sessions due to insufficient protections in the browser-based authentication flows.

To remediate this issue, users should upgrade to version 2.1.0.0.

Published: 2026-04-03

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Amazon’s Athena ODBC driver contains insufficient authentication controls in its browser‑based authentication components. The flaw, present in all releases before 2.1.0.0, can allow an attacker to intercept or hijack authentication sessions when a user initiates a connection. This compromise could enable unauthorized individuals to gain access to data queried through Athena, affecting confidentiality and integrity of the underlying datasets.

Affected Systems

The affected vendor is Amazon, with the product Amazon Athena ODBC driver. All versions released prior to 2.1.0.0 are vulnerable. The flaw exists across platforms supporting the driver, including Linux, macOS (Intel and arm), and Windows, as indicated by the associated platform enumerations.

Risk and Exploitability

The CVSS severity rating of 9.1 indicates high impact. However, the EPSS score is less than 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation activity. The likely attack vector involves a user or a local attacker leveraging the browser‑based authentication flow to compromise credentials; thus, mitigations should focus on applying the vendor’s approved patch and avoiding the use of older drivers.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Amazon

Amazon Athena ODBC driver

unaffected

Version	Status	Constraints
`2.1.0.0`	unaffected	—

Configuration 1 [-]

AND

cpe:2.3:a:amazon:athena_odbc:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Amazon

Amazon Athena Odbc Driver

100%

Version	Status	Scheme	Platform
`2.1.0.0`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Amazon Athena ODBC driver to version 2.1.0.0 or newer.
Verify that the installed driver matches the latest release by reviewing release notes and product version information.
If upgrading cannot be performed immediately, restrict the use of older driver versions and monitor for updated security advisories.

Generated by OpenCVE AI on April 14, 2026 at 18:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://aws.amazon.com/security/security-bulletins/2026-013-aws/
https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.html
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.pkg
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/arm/AmazonAthenaODBC-2.1.0.0_arm.pkg
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi

History

Tue, 14 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Amazon athena Odbc Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows
CPEs		cpe:2.3:a:amazon:athena_odbc:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Amazon athena Odbc Apple Apple macos Linux Linux linux Kernel Microsoft Microsoft windows

Tue, 07 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Amazon Amazon amazon Athena Odbc Driver
Vendors & Products		Amazon Amazon amazon Athena Odbc Driver

Mon, 06 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 03 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		Insufficient authentication security controls in the browser-based authentication components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to intercept or hijack authentication sessions due to insufficient protections in the browser-based authentication flows. To remediate this issue, users should upgrade to version 2.1.0.0.
Title		Insufficient authentication security controls in browser-based authentication components in Amazon Athena ODBC driver
Weaknesses		CWE-862
References		https://aws.amazon.com/security/security-bulletins/2026-013-aws/ https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.html https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.pkg https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/arm/AmazonAthenaODBC-2.1.0.0_arm.pkg https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi
Metrics		cvssV3_1 `{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}` cvssV4_0 `{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Amazon Amazon Athena Odbc Driver Athena Odbc

Apple Macos

Linux Linux Kernel

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: AMZN

Published: 2026-04-03T20:10:40.591Z

Updated: 2026-04-07T13:09:01.619Z

Reserved: 2026-04-03T13:43:36.914Z

Link: CVE-2026-35561

Vulnrichment

Updated: 2026-04-06T15:06:23.753Z

NVD

Status : Analyzed

Published: 2026-04-03T21:17:12.250

Modified: 2026-04-14T16:14:29.093

Link: CVE-2026-35561

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object