CVE-2026-5485

High

Published: 03 April 2026

Published

03 April 2026

Modified

14 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5485 is a high-severity OS Command Injection (CWE-78) vulnerability in Amazon Athena Odbc. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the OS command injection flaw by upgrading the Amazon Athena ODBC driver to version 2.0.5.1 or later.

SI-10 Information Input Validation good match

prevent

Mandates validation and sanitization of connection parameters to block specially crafted inputs that enable OS command injection.

SI-16 Memory Protection partial match

prevent

Implements memory protections like non-executable memory regions to mitigate arbitrary code execution even if command injection occurs.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

OS command injection in client-side ODBC driver enables arbitrary code execution on Linux via crafted local connection parameters, directly mapping to client application exploitation and Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OS command injection in the browser-based authentication component in Amazon Athena ODBC driver before 2.0.5.1 on Linux might allow a threat actor to execute arbitrary code by using specially crafted connection parameters that are loaded by the driver during a…

local user-initiated connection. To remediate this issue, users should upgrade to version 2.0.5.1 or later.

Deeper analysisAI

CVE-2026-5485 is an OS command injection vulnerability (CWE-78) in the browser-based authentication component of the Amazon Athena ODBC driver for Linux, affecting versions prior to 2.0.5.1. The flaw arises when the driver processes specially crafted connection parameters during a local user-initiated connection, potentially enabling arbitrary code execution. Published on April 3, 2026, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with local access required.

A local threat actor can exploit this vulnerability by tricking a user into initiating a connection with malicious parameters, such as through a controlled data source or configuration file. No privileges are needed (PR:N), but user interaction is required (UI:R), typically involving launching the driver in a browser-based authentication flow. Successful exploitation allows arbitrary OS command execution with the privileges of the local user running the driver.

AWS advisories recommend upgrading to Amazon Athena ODBC driver version 2.0.5.1 or later to remediate the issue, with release notes and updated Linux packages available via official download links. The AWS security bulletin details the vulnerability and patch availability.