CVE-2026-35560
Published: 03 April 2026
Summary
CVE-2026-35560 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Amazon Athena Odbc. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SC-8 (Transmission Confidentiality and Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identifying, prioritizing, and applying patches such as upgrading the Amazon Athena ODBC driver to version 2.1.0.0 to remediate the improper certificate validation flaw.
Requires establishment and management of PKI certificates with validation checks to prevent man-in-the-middle attacks due to improper certificate validation in identity provider connections.
Implements cryptographic mechanisms to protect transmission confidentiality and integrity, mitigating interception of authentication credentials over insufficiently secure connections to external identity providers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability's improper certificate validation (CWE-295) directly enables successful man-in-the-middle interception of authentication credentials to identity providers, mapping to T1557 Adversary-in-the-Middle.
NVD Description
Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to identity providers. This only applies…
more
to connections with external identity providers and does not apply to connections with Athena. To remediate this issue, users should upgrade to version 2.1.0.0.
Deeper analysisAI
CVE-2026-35560 involves improper certificate validation (CWE-295) in the identity provider connection components of the Amazon Athena ODBC driver versions before 2.1.0.0. The flaw stems from insufficient default transport security, which could enable a man-in-the-middle threat actor to intercept authentication credentials during connections to external identity providers. This vulnerability does not impact direct connections to Athena itself.
A remote, unauthenticated attacker (PR:N) capable of positioning themselves between the client and the external identity provider (AV:N) can exploit this issue, though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation allows the attacker to capture sensitive authentication credentials, resulting in high impacts to confidentiality and integrity (C:H/I:H) with unchanged scope (S:U) and no availability disruption (A:N). The CVSS v3.1 base score is 7.4.
AWS recommends upgrading to Amazon Athena ODBC driver version 2.1.0.0 as the primary mitigation. Details are available in the AWS security bulletin (https://aws.amazon.com/security/security-bulletins/2026-013-aws/) and driver release notes (https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.html), with patched binaries provided for Linux (https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm), Mac Intel (https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.pkg), and Mac ARM (https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/arm/AmazonAthenaODBC-2.1.0.0_arm.pkg).
Details
- CWE(s)