CVE-2026-35561

High

Published: 03 April 2026

Published

03 April 2026

Modified

14 April 2026

KEV Added

—

Patch

—

CVSS Score 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0003 8.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35561 is a high-severity Missing Authorization (CWE-862) vulnerability in Amazon Athena Odbc. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Browser Session Hijacking (T1185). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and patching of the vulnerable Amazon Athena ODBC driver to version 2.1.0.0.

SC-23 Session Authenticity good match

prevent

Protects against session hijacking in browser-based authentication flows by enforcing mechanisms to ensure session authenticity.

IA-5 Authenticator Management partial match

prevent

Strengthens authenticator management to address insufficient protections in the browser-based authentication components of the ODBC driver.

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

Why these techniques?

The vulnerability description explicitly mentions enabling session interception or hijacking in browser-based authentication flows, directly mapping to the Browser Session Hijacking technique.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Insufficient authentication security controls in the browser-based authentication components in Amazon Athena ODBC driver before 2.1.0.0 might allow a threat actor to intercept or hijack authentication sessions due to insufficient protections in the browser-based authentication flows. To remediate this issue,…

users should upgrade to version 2.1.0.0.

Deeper analysisAI

CVE-2026-35561 is a vulnerability involving insufficient authentication security controls in the browser-based authentication components of the Amazon Athena ODBC driver versions prior to 2.1.0.0. This flaw stems from inadequate protections in the browser-based authentication flows, which could enable session interception or hijacking, as classified under CWE-862 (Missing Authorization). The issue affects users of the affected ODBC driver on supported platforms including Linux, macOS Intel, and macOS ARM.

A remote attacker with no privileges (PR:N) could potentially exploit this vulnerability over the network (AV:N), though it requires high attack complexity (AC:H) and does not involve user interaction (UI:N). Successful exploitation would grant high confidentiality (C:H) and integrity (I:H) impacts with no availability disruption (A:N) and unchanged scope (S:U), resulting in a CVSS v3.1 base score of 7.4. Attackers could intercept or hijack authentication sessions during the browser-based flows, potentially gaining unauthorized access to Athena resources.

The AWS security bulletin (2026-013) and Athena ODBC driver release notes recommend upgrading to version 2.1.0.0 to remediate the issue. Patch downloads are available for Linux RPM, macOS Intel PKG, and macOS ARM PKG from the official Athena driver repository.

Details

CWE(s): CWE-862

Affected Products

amazon

athena odbc

≤ 2.1.0.0

CVEs Like This One

CVE-2026-35562Same product: Amazon Athena Odbc

CVE-2026-35560Same product: Amazon Athena Odbc

CVE-2026-35558Same product: Amazon Athena Odbc

CVE-2025-11791Same product: Apple Macos

CVE-2026-21218Same product: Apple Macos

CVE-2026-26171Same product: Apple Macos

CVE-2026-26127Same product: Apple Macos

CVE-2026-32178Same product: Apple Macos

CVE-2026-30797Same product: Apple Macos

CVE-2026-5883Same product: Apple Macos

References

https://aws.amazon.com/security/security-bulletins/2026-013-aws/
Vendor Advisory · ff89ba41-3aa1-4d27-914a-91399e9639e5
https://docs.aws.amazon.com/athena/latest/ug/odbc-v2-driver-release-notes.html
Release Notes · ff89ba41-3aa1-4d27-914a-91399e9639e5
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Linux/AmazonAthenaODBC-2.1.0.0.rpm
Patch, Product · ff89ba41-3aa1-4d27-914a-91399e9639e5
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/Intel/AmazonAthenaODBC-2.1.0.0_x86.pkg
Patch, Product · ff89ba41-3aa1-4d27-914a-91399e9639e5
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Mac/arm/AmazonAthenaODBC-2.1.0.0_arm.pkg
Patch, Product · ff89ba41-3aa1-4d27-914a-91399e9639e5
https://downloads.athena.us-east-1.amazonaws.com/drivers/ODBC/v2.1.0.0/Windows/AmazonAthenaODBC-2.1.0.0.msi
Patch, Product · ff89ba41-3aa1-4d27-914a-91399e9639e5