Home

Description

Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to identity providers. This only applies to connections with external identity providers and does not apply to connections with Athena. To remediate this issue, users should upgrade to version 2.1.0.0.

PUBLISHED Reserved 2026-04-03 | Published 2026-04-03 | Updated 2026-04-07 | Assigner AMZN




HIGH: 7.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CRITICAL: 9.1CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-295: Improper Certificate Validation

Product status

Default status
unaffected

2.1.0.0
unaffected

References

downloads.athena.us-east-1.amazonaws.com/...ODBC-2.1.0.0.msi patch

downloads.athena.us-east-1.amazonaws.com/...ODBC-2.1.0.0.rpm patch

downloads.athena.us-east-1.amazonaws.com/...-2.1.0.0_arm.pkg patch

downloads.athena.us-east-1.amazonaws.com/...-2.1.0.0_x86.pkg patch

aws.amazon.com/security/security-bulletins/2026-013-aws/ vendor-advisory

docs.aws.amazon.com/.../ug/odbc-v2-driver-release-notes.html release-notes

cve.org (CVE-2026-35560)

nvd.nist.gov (CVE-2026-35560)

Download JSON