CVE-2026-5485 - Vulnerability Details

- OS command injection in Amazon Athena ODBC driver on Linux

Description

OS command injection in the browser-based authentication component in Amazon Athena ODBC driver before 2.0.5.1 on Linux might allow a threat actor to execute arbitrary code by using specially crafted connection parameters that are loaded by the driver during a local user-initiated connection.

To remediate this issue, users should upgrade to version 2.0.5.1 or later.

Published: 2026-04-03

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an operating system command injection in the browser-based authentication component of the Amazon Athena ODBC driver on Linux. Specially crafted connection parameters that the driver loads during a local user‑initiated connection can cause the driver to execute arbitrary system commands. This is a classic CWE‑78 weakness, allowing an attacker who can influence the connection string to run arbitrary code with the privileges of the user running the driver, potentially compromising confidentiality, integrity, and availability of the host.

Affected Systems

Amazon’s Athena ODBC driver for Linux before version 2.0.5.1 is affected. Users who have installed this driver on their Linux systems are at risk; the manufacturer lists the driver under Amazon Athena ODBC in their security bulletins and release notes.

Risk and Exploitability

The CVSS base score is 7.3, indicating a high impact, while the EPSS score is below 1% and the vulnerability is not yet listed in the CISA KEV catalog, suggesting current exploitation potential is low. However, the attack requires a local user to initiate an ODBC connection with malicious parameters, which means that if a user account is compromised or the driver is used in an untrusted environment, remote code execution is possible. The vulnerability’s severity and the fact that it can be directly triggered by crafted input raise the overall risk to a higher level for systems with loosely controlled access to the driver.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Amazon

Amazon Athena ODBC driver

unaffected

Version	Status	Constraints
`2.0.5.1`	unaffected	—

Configuration 1 [-]

AND

cpe:2.3:a:amazon:athena_odbc:*:*:*:*:*:*:*:*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Amazon

Amazon Athena Odbc Driver

100%

Version	Status	Scheme	Platform
`2.0.5.1`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Amazon Athena ODBC driver to version 2.0.5.1 or later.

Generated by OpenCVE AI on April 14, 2026 at 18:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00102.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://aws.amazon.com/security/security-bulletins/2026-013-aws/
https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.html
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.pkg
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/arm/AmazonAthenaODBC-2.1.0.0_arm.pkg
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi

History

Tue, 14 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Amazon athena Odbc Linux Linux linux Kernel
CPEs		cpe:2.3:a:amazon:athena_odbc:::::::: cpe:2.3:o:linux:linux_kernel:-:::::::*
Vendors & Products		Amazon athena Odbc Linux Linux linux Kernel

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Amazon Amazon amazon Athena Odbc Driver
Vendors & Products		Amazon Amazon amazon Athena Odbc Driver

Mon, 06 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
References	https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.p	https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.pkg

Fri, 03 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		OS command injection in the browser-based authentication component in Amazon Athena ODBC driver before 2.0.5.1 on Linux might allow a threat actor to execute arbitrary code by using specially crafted connection parameters that are loaded by the driver during a local user-initiated connection. To remediate this issue, users should upgrade to version 2.0.5.1 or later.
Title		OS command injection in Amazon Athena ODBC driver on Linux
Weaknesses		CWE-78
References		https://aws.amazon.com/security/security-bulletins/2026-013-aws/ https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.html https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.p https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/arm/AmazonAthenaODBC-2.1.0.0_arm.pkg https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` cvssV4_0 `{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Amazon Amazon Athena Odbc Driver Athena Odbc

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: AMZN

Published: 2026-04-03T20:13:14.946Z

Updated: 2026-04-07T03:55:34.174Z

Reserved: 2026-04-03T13:43:38.696Z

Link: CVE-2026-5485

Vulnrichment

Updated: 2026-04-06T14:59:00.673Z

NVD

Status : Analyzed

Published: 2026-04-03T21:17:12.603

Modified: 2026-04-14T16:14:49.373

Link: CVE-2026-5485

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object