CVE-2026-35560: Amazon Athena ODBC Driver Certificate Validation Flaw
A high-severity vulnerability tracked as CVE-2026-35560 (CVSS 7.4) has been disclosed in the Amazon Athena ODBC driver, versions prior to 2.1.0.0. The flaw involves improper certificate validation in the driver's identity provider connection components — the code path responsible for establishing authenticated sessions when using federated authentication (SAML, Okta, Azure AD, etc.) to connect to Amazon Athena.
Due to insufficient default transport security settings, a man-in-the-middle (MiTM) attacker positioned on the network path between the ODBC client and its configured identity provider can intercept and steal authentication credentials, including SAML assertions, bearer tokens, or plaintext credentials depending on the authentication flow in use.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-35560 |
| CVSS Score | 7.4 (High) |
| CWE Classification | CWE-295 — Improper Certificate Validation |
| Affected Component | Amazon Athena ODBC Driver — Identity Provider Connection |
| Affected Versions | All versions prior to 2.1.0.0 |
| Fixed Version | 2.1.0.0 |
| Attack Vector | Adjacent/Network — requires network positioning |
| Authentication Required | None (attacker must be network-positioned) |
| Scope | Authentication credentials, federated tokens |
Technical Background
The Amazon Athena ODBC driver supports federated authentication — allowing database clients to authenticate through enterprise identity providers (IdPs) such as:
- Okta
- Azure Active Directory
- ADFS (Active Directory Federation Services)
- PingFederate
- Custom SAML 2.0 providers
During the authentication handshake, the ODBC driver initiates a TLS connection to the configured identity provider endpoint to exchange credentials or SAML assertions. The vulnerability lies in the driver's failure to properly validate the TLS certificate presented by the identity provider server.
Specifically, in versions prior to 2.1.0.0, the driver's default configuration either:
- Skips certificate chain validation — accepting any certificate, including self-signed ones
- Fails to enforce hostname verification — not confirming the certificate's Common Name or Subject Alternative Name matches the expected IdP hostname
- Uses weak or missing trust store defaults — allowing certificates from untrusted or attacker-controlled CAs
Attack Scenario
1. Attacker gains a network-adjacent position (corporate Wi-Fi, VPN endpoint,
cloud network peering, compromised router or DNS resolver)
2. Attacker performs ARP spoofing, DNS poisoning, or BGP manipulation to
intercept traffic between the Athena ODBC client and its identity provider
3. Attacker presents a forged TLS certificate for the IdP endpoint
4. Athena ODBC driver (< 2.1.0.0) accepts the forged certificate due to
missing/improper validation
5. Attacker decrypts the authentication flow and captures:
- SAML assertions
- OAuth/OIDC access tokens
- Username/password credentials (in basic auth flows)
6. Attacker uses stolen credentials to:
- Authenticate to Amazon Athena as the victim user
- Access S3-backed data lake contents
- Exfiltrate query results and data
- Escalate privileges via the victim's AWS permissionsAffected Authentication Flows
Not all Athena ODBC configurations are equally impacted. Federated authentication configurations are most at risk:
| Configuration | Risk Level | Details |
|---|---|---|
| IAM credentials (access key/secret) | Lower | Credentials passed directly, not via IdP |
| IAM Identity Center (SSO) | High | Token exchange with IdP endpoint affected |
| Okta federation | High | SAML assertion exchange interceptable |
| Azure AD federation | High | OAuth token exchange interceptable |
| ADFS integration | High | SAML 2.0 flow interceptable |
| Instance profile/role assumption | Lower | Uses EC2 metadata service, not external IdP |
Organizations using any form of federated/SSO authentication with the Athena ODBC driver are at elevated risk.
Impact of Credential Theft
Stolen Athena credentials can enable:
- Full access to Amazon Athena query execution — including querying any tables the victim has access to
- S3 data exfiltration — Athena queries can scan and return data from S3 data lakes
- AWS permission escalation — if the stolen identity has broad AWS IAM permissions
- Audit log evasion — activity appears as legitimate queries from the victim's identity
Remediation
Primary Fix: Upgrade to ODBC Driver 2.1.0.0
Amazon has released version 2.1.0.0 of the Athena ODBC driver, which corrects the certificate validation behavior to:
- Enforce full TLS certificate chain validation against a trusted CA store
- Enforce hostname verification against the configured IdP endpoint hostname
- Default to secure transport settings for all identity provider connections
Download the updated driver from the Amazon Athena ODBC Driver documentation page.
# Verify currently installed driver version (Linux)
odbcinst -q -d | grep -A2 "Athena"
# Windows: Check via Control Panel > Administrative Tools > ODBC Data Sources
# or via registry: HKLM\SOFTWARE\ODBC\ODBCINST.INI\Amazon Athena ODBC DriverInterim Mitigations
If immediate upgrade is not possible:
- Use IAM-based authentication (access key + secret) instead of federated IdP authentication until the driver is updated
- Restrict ODBC client network access: Ensure clients running the affected driver can only reach the IdP over trusted, segmented network paths
- Enforce certificate pinning at the network layer: Deploy TLS inspection or certificate pinning proxies to detect unexpected certificate substitution
- Enable mutual TLS (mTLS) where the IdP supports it, adding a second layer of authentication
Verification
After upgrading to driver version 2.1.0.0, verify the fix is effective by testing with an invalid certificate (in a non-production environment):
1. Configure a test Athena ODBC connection pointing to a mock IdP
2. Present a self-signed or invalid certificate from the mock IdP
3. Confirm the driver rejects the connection with a certificate validation error
4. Confirm valid certificates from trusted CAs are accepted normallyKey Takeaways
- CVE-2026-35560 is a CVSS 7.4 High vulnerability in Amazon Athena ODBC driver versions prior to 2.1.0.0
- Improper TLS certificate validation in the IdP connection component enables MiTM credential interception
- Federated/SSO authentication configurations are most at risk — IAM credential-based connections have lower exposure
- Upgrade to version 2.1.0.0 immediately; use IAM credentials as an interim workaround if patching is delayed
- Stolen Athena credentials can enable unauthorized data lake access, S3 exfiltration, and AWS privilege escalation