Vulnerability Description
Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to identity providers. This only applies to connections with external identity providers and does not apply to connections with Athena. To remediate this issue, users should upgrade to version 2.1.0.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Amazon | Athena Odbc | < 2.1.0.0 |
| Apple | Macos | - |
| Linux | Linux Kernel | - |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://aws.amazon.com/security/security-bulletins/2026-013-aws/Vendor Advisory
- https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.htmlRelease Notes
- https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmaPatchProduct
- https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/IntelPatchProduct
- https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/arm/APatchProduct
- https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/APatchProduct
FAQ
What is CVE-2026-35560?
CVE-2026-35560 is a vulnerability with a CVSS score of 7.4 (HIGH). Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication cred...
How severe is CVE-2026-35560?
CVE-2026-35560 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35560?
Check the references section above for vendor advisories and patch information. Affected products include: Amazon Athena Odbc, Apple Macos, Linux Linux Kernel, Microsoft Windows.