CVE-2026-12283
Received Received - Intake

SQL Injection in Amazon Athena Query Federation

Vulnerability report for CVE-2026-12283, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: AMZN

Description

Amazon Athena is a serverless, interactive query service that lets you analyze data directly in Amazon S3 using standard SQL. Athena Query Federation is a feature that allows you to connect to data sources outside of Amazon S3 like DynamoDB, Azure Synapse, and custom connectors using standard SQL syntax. Improper neutralization of special elements used in an SQL command in the Synapse connector in Amazon aws-athena-query-federationΒ v2022.20.1 through v2026.19.1Β might allow an authenticated remote user to execute injected read-only SQL queries that return unintended data from the connected database via a crafted table name. To remediate this issue, users should upgrade to version v2026.21.1 or later.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
amazon aws-athena-query-federation From 2022.20.1 (inc) to 2026.19.1 (inc)
amazon aws-athena-query-federation 2026.21.1
amazon aws-athena-query-federation to 2026.21.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an SQL injection flaw in Amazon Athena's Synapse connector. It allows an authenticated remote user to execute read-only SQL queries by injecting specially crafted table names. The issue occurs when querying a table with a malicious name through the Athena Synapse connector, which may return unintended data from the connected Azure Synapse database.

Detection Guidance

To detect this vulnerability, check the version of your Amazon Athena Query Federation Synapse connector. If it is between v2022.20.1 and v2026.19.1, it is vulnerable. Run: aws athena get-query-execution --query-execution-id <ID> to inspect queries. Also review Synapse database tables for crafted names that may indicate exploitation attempts.

Impact Analysis

An attacker with access to an Azure Synapse account could exploit this to retrieve unauthorized data from the Synapse database. The impact is limited to read-only access, but sensitive information could be exposed. Users should upgrade to version v2026.21.1 or later to mitigate this risk.

Compliance Impact

This vulnerability could lead to unauthorized data exposure, violating confidentiality requirements in GDPR and HIPAA. Organizations using affected versions may face compliance risks due to potential data breaches. Upgrading to patched versions is necessary to maintain compliance.

Mitigation Strategies

Immediately upgrade the Amazon Athena Query Federation Synapse connector to version v2026.21.1 or later. As a temporary measure, audit Synapse database tables for crafted names and sanitize inputs when creating tables programmatically. Remove any tables with suspicious names that could exploit SQL injection.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12283. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart