CVE-2026-35561
Authentication Bypass in Amazon Athena ODBC Driver Enables Session Hijacking
Publication date: 2026-04-03
Last updated on: 2026-04-14
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | athena_odbc | to 2.1.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves insufficient authentication security controls in the browser-based authentication components of the Amazon Athena ODBC driver versions before 2.1.0.0.
Because of inadequate protections in the browser-based authentication flows, a threat actor might be able to intercept or hijack authentication sessions.
Upgrading to version 2.1.0.0 or later is recommended to remediate this issue.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to intercept or hijack authentication sessions when using the affected Amazon Athena ODBC driver.
Such interception or hijacking could lead to unauthorized access to your data or systems that rely on these authentication sessions.
The CVSS v3.1 base score of 7.4 and v4.0 base score of 9.1 indicate a high severity, emphasizing the potential impact on confidentiality and integrity.
What immediate steps should I take to mitigate this vulnerability?
To remediate this issue, users should upgrade the Amazon Athena ODBC driver to version 2.1.0.0 or later.