CRITICALCVE-2026-35560Published 2026-04-03Modified 2026-04-07CNA AMZN

CVE-2026-35560: Improper certificate validation in identity provider connection components in Amazon Athena ODBC driver

Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to identity providers. This only applies to connections with external identity providers and does not apply to connections with Athena. To remediate this issue, users should upgrade to version 2.1.0.0.

CVSS v4.0: 9.1
Severity: CRITICAL
Fixed in: 2.1.0.0
Affected Products: 1

Fix available

2.1.0.0

Patch commits

downloads.athena.us-east-1.amazonaws.com
downloads.athena.us-east-1.amazonaws.com
downloads.athena.us-east-1.amazonaws.com
downloads.athena.us-east-1.amazonaws.com

Affected packages

Amazon / Amazon Athena ODBC driver
Fixed in 2.1.0.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

downloads.athena.us-east-1.amazonaws.com
downloads.athena.us-east-1.amazonaws.com
downloads.athena.us-east-1.amazonaws.com
downloads.athena.us-east-1.amazonaws.com
aws.amazon.com
docs.aws.amazon.com

Metrics

Fix available