CVE-2026-35560

CVE Database · CVE-2026-35560

CVE-2026-35560

· HIGHAnalyzed

CVSS v3.1

7.4

CVSS v4.0

9.1

EPSS

0.26%

Published

Apr 3, 2026

Modified

Apr 14, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Improper certificate validation in the identity provider connection components in Amazon Athena ODBC driver before 2.1.0.0 might allow a man-in-the-middle threat actor to intercept authentication credentials due to insufficient default transport security when connecting to identity providers. This only applies to connections with external identity providers and does not apply to connections with Athena. To remediate this issue, users should upgrade to version 2.1.0.0.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Weaknesses (CWE)

CWE-295

Affected Products (4)

amazon · athena_odbc (up to 2.1.0.0)vulnerable

apple · macos

linux · linux_kernel

microsoft · windows

References (6)

https://aws.amazon.com/security/security-bulletins/2026-013-aws/

Vendor Advisory