CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Issues with Amazon Athena ODBC Driver

unknownCVE-2026-5485CVE-2026-35558CVE-2026-35559CVE-2026-35560CVE-2026-35561CVE-2026-35562
Bulletin ID: 2026-013-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/03 13:00 PM PDT Description: The Amazon Athena ODBC driver implements standard ODBC application program interfaces (APIs). The ODBC driver provides access to Amazon Athena from any C/C++ application. The Amazon Athena ODBC driver provides 64-bit ODBC drivers for Windows, Linux and MAC operating systems. We identified the following: - CVE-2026-5485: OS command injection in browser-based authentication component (Linux only, fixed in 2.0.5.1) - CVE-2026-35558: Improper neutralization of special elements in authentication components - CVE-2026-35559: Out-of-bounds write in query processing components - CVE-2026-35560: Improper certificate validation in identity provider connection components - CVE-2026-35561: Insufficient authentication security controls in browser-based authentication components - CVE-2026-35562: Allocation of resources without limits in parsing components Impacted versions: CVE-2026-5485 was addressed in 2.0.5.1 (Linux only). The remaining five (CVE-2026-35558 through CVE-2026-35562) were addressed in version 2.1.0.0 and apply to all supported platforms Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

What
Multiple vulnerabilities including OS command injection and improper certificate validation have been identified.
Who is affected
Users of the Amazon Athena ODBC driver on Linux and other operating systems.
Urgency
Remediation is critical due to the presence of command injection vulnerabilities.
Action
Upgrade to version 2.0.5.1 or later.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Athena ODBC Driver

Get an email when a new Athena ODBC Driver advisory drops — max one per day, one-click unsubscribe.

Details

Source
AWS Security Bulletins (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-06-05
Exploitation
Not in CISA KEV at last sync

Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-013-aws/

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-5485coverage & exploitation statusNVD · CVE.org
CVE-2026-35558coverage & exploitation statusNVD · CVE.org
CVE-2026-35559coverage & exploitation statusNVD · CVE.org
CVE-2026-35560coverage & exploitation statusNVD · CVE.org
CVE-2026-35561coverage & exploitation statusNVD · CVE.org
CVE-2026-35562coverage & exploitation statusNVD · CVE.org

More from AWS Security Bulletins