SQL injection in Amazon Athena Synapse connector
Summary
| CVE | CVE-2026-12283 |
|---|---|
| State | PUBLISHED |
| Assigner | AMZN |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-17 20:17:14 UTC |
| Updated | 2026-07-17 20:17:14 UTC |
| Description | Amazon Athena is a serverless, interactive query service that lets you analyze data directly in Amazon S3 using standard SQL. Athena Query Federation is a feature that allows you to connect to data sources outside of Amazon S3 like DynamoDB, Azure Synapse, and custom connectors using standard SQL syntax. Improper neutralization of special elements used in an SQL command in the Synapse connector in Amazon aws-athena-query-federation v2022.20.1 through v2026.19.1 might allow an authenticated remote user to execute injected read-only SQL queries that return unintended data from the connected database via a crafted table name. To remediate this issue, users should upgrade to version v2026.21.1 or later. |
Risk And Classification
Primary CVSS: v4.0 6.1 MEDIUM from ff89ba41-3aa1-4d27-914a-91399e9639e5
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-89 | CWE-89 CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | ff89ba41-3aa1-4d27-914a-91399e9639e5 | Secondary | 6.1 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 6.1 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
| 3.1 | ff89ba41-3aa1-4d27-914a-91399e9639e5 | Secondary | 6.8 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
| 3.1 | CNA | CVSS | 6.8 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
NonePrivileges Required
HighUser Interaction
NoneConfidentiality
NoneIntegrity
NoneAvailability
NoneSub Conf.
HighSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
HighUser Interaction
NoneScope
ChangedConfidentiality
HighIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | AWS | Aws-athena-query-federation | affected v2022.20.1 v2026.19.1 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/awslabs/aws-athena-query-federation/security/advisories/GHSA-... | ff89ba41-3aa1-4d27-914a-91399e9639e5 | github.com | |
| github.com/awslabs/aws-athena-query-federation/releases/tag/v2026.21.1 | ff89ba41-3aa1-4d27-914a-91399e9639e5 | github.com | |
| aws.amazon.com/security/security-bulletins/2026-059-aws | ff89ba41-3aa1-4d27-914a-91399e9639e5 | aws.amazon.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.