CVE-2026-12283 - Issue with Athena Federated Query Synapse Connector
Bulletin ID: 2026-059-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 07/17/2026 12:00 PM PDT
Description:
Amazon Athena is a serverless, interactive query service that lets you analyze data directly in Amazon S3 using standard SQL. Athena Query Federation is a feature that allows you to connect to data sources outside of Amazon S3 like DynamoDB, Azure Synapse, and custom connectors using standard SQL syntax. These connectors are open source and deployed to the Athena service on a regular basis. We identified CVE-2026-12283. A user with access to an Azure Synapse account can create a table with a specially crafted name that, when queried through the Athena Synapse connector, could result in unintended data being returned.
Impacted versions:
- versions >= v2022.20.1 (released on 5/19/2022) AND
- versions <= v2026.19.1 (released on 5/28/2026)
Resolution:
This issue has been addressed in AWS Athena Query Federation version v2026.21.1. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
Workarounds:
Verify that there are no tables that can be subject to SQL injection in the Synapse database. If you allow Synapse tables to be created programmatically, you should sanitize the input.
References:
Please email aws-security@amazon.com with any security questions or concerns.