Amazon Athena ODBC Driver Man-in-the-Middle Vulnerability

A man-in-the-middle (MitM) vulnerability has been identified in the Amazon Athena ODBC driver. Specifically, versions prior to 2.1.0.0 exhibit improper certificate validation within the identity provider connection components. This flaw allows a threat actor positioned in the network to intercept authentication credentials when the driver attempts to connect to external identity providers. This vulnerability, identified as CVE-2026-35560, poses a significant risk to organizations utilizing affected versions of the Athena ODBC driver with external identity providers. The lack of proper certificate validation can lead to credential compromise and subsequent unauthorized access to sensitive data within Athena. This does not affect connections directly to Athena.

Attack Chain

1. The attacker positions themselves in a privileged network location between the user’s machine and the external identity provider.
2. The user attempts to establish a connection to Amazon Athena using the vulnerable ODBC driver version (prior to 2.1.0.0). The connection is configured to use an external identity provider for authentication.
3. The ODBC driver initiates a connection to the configured external identity provider.
4. The attacker intercepts the network traffic between the ODBC driver and the identity provider.
5. Due to the lack of proper certificate validation in the vulnerable ODBC driver, the attacker can present a fraudulent certificate to the driver without triggering an error.
6. The ODBC driver, trusting the fraudulent certificate, proceeds with the authentication process and transmits the user’s credentials to the attacker-controlled server.
7. The attacker captures the user’s authentication credentials (e.g., username and password or an access token).
8. The attacker uses the stolen credentials to authenticate to the external identity provider or directly to resources protected by those credentials, potentially gaining unauthorized access to sensitive data within Amazon Athena or other connected services.

Impact

Successful exploitation of this vulnerability allows a man-in-the-middle attacker to intercept authentication credentials used to connect to external identity providers. This could lead to unauthorized access to an organization’s Amazon Athena data and other resources protected by the compromised credentials. The severity of the impact depends on the privileges associated with the compromised user account. If successful, the attacker could potentially read, modify, or delete sensitive data stored in Athena, leading to data breaches, financial losses, and reputational damage. The number of potential victims is directly proportional to the number of organizations using affected versions of the Athena ODBC driver with external identity providers.

Recommendation

• Upgrade the Amazon Athena ODBC driver to version 2.1.0.0 or later to remediate the improper certificate validation vulnerability as documented in CVE-2026-35560.
• Monitor network traffic for unexpected connections to external identity providers from machines running the Athena ODBC driver. Use network connection logs to identify suspicious activity.
• Implement network segmentation to limit the potential impact of a successful man-in-the-middle attack, reducing the attacker’s ability to intercept traffic.