SQL Injection Vulnerability in Amazon Athena Query Federation by AWS
CVE-2026-12283

6.1MEDIUM

Key Information:

Vendor

Aws

Vendor
CVE Published:
17 July 2026

What is CVE-2026-12283?

The Synapse connector in Amazon Athena's query federation feature is susceptible to an SQL injection vulnerability due to improper handling of special characters in SQL commands. An authenticated remote user could exploit this vulnerability by crafting malicious table names, enabling the execution of unauthorized read-only SQL queries. These queries could yield sensitive data from connected databases, including sources such as DynamoDB and Azure Synapse. To mitigate this risk, users are advised to update to version v2026.21.1 or later.

Affected Version(s)

aws-athena-query-federation v2022.20.1

References

CVSS V4

Score:
6.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.