OS Command Injection in Amazon Athena ODBC Driver for Linux
CVE-2026-5485

7.3HIGH

Key Information:

Vendor

Amazon

Status
Amazon Athena Odbc Driver
Vendor
CVE Published:
3 April 2026

What is CVE-2026-5485?

The Amazon Athena ODBC driver for Linux prior to version 2.0.5.1 is susceptible to an OS command injection vulnerability found in its browser-based authentication component. Attackers might exploit this issue by crafting specific connection parameters that are processed by the driver during a connection initiated by a local user. This could lead to potential unauthorized execution of arbitrary code, compromising system integrity and user security. It is crucial for users to upgrade to version 2.0.5.1 or later to mitigate this risk.

Affected Version(s)

Amazon Athena ODBC driver 2.0.5.1

References

https://aws.amazon.com/security/security-bulletins/2026-0...
vendor-advisory
https://downloads.athena.us-east-1.amazonaws.com/drivers/...
patch
https://downloads.athena.us-east-1.amazonaws.com/drivers/...
patch

CVSS V4

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.