CVE-2026-12283: CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection') in AWS aws-athena-query-federation
Amazon Athena is a serverless, interactive query service that lets you analyze data directly in Amazon S3 using standard SQL. Athena Query Federation is a feature that allows you to connect to data sources outside of Amazon S3 like DynamoDB, Azure Synapse, and custom connectors using standard SQL syntax. Improper neutralization of special elements used in an SQL command in the Synapse connector in Amazon aws-athena-query-federation v2022.20.1 through v2026.19.1 might allow an authenticated remote user to execute injected read-only SQL queries that return unintended data from the connected database via a crafted table name. To remediate this issue, users should upgrade to version v2026.21.1 or later.
AI Analysis
Technical Summary
Amazon Athena's Query Federation feature, specifically the Synapse connector in aws-athena-query-federation versions v2022.20.1 through v2026.19.1, contains an SQL injection vulnerability (CWE-89). This improper neutralization of special elements in SQL commands allows authenticated users to inject read-only SQL queries via crafted table names, potentially exposing unintended data from connected external databases. AWS has addressed this issue in version v2026.21.1 and later.
Potential Impact
An authenticated remote user could exploit this vulnerability to execute injected read-only SQL queries on the connected database through the Synapse connector. This may lead to unauthorized disclosure of data accessible via the injected queries. There is no indication of privilege escalation, data modification, or denial of service. No known exploits in the wild have been reported.
Mitigation Recommendations
AWS manages remediation for this cloud-hosted service. Users should ensure they are using aws-athena-query-federation version v2026.21.1 or later, where this vulnerability is fixed. Check the AWS security advisory at https://aws.amazon.com/security/security-bulletins/2026-059-aws/ for the latest remediation guidance.
CVE-2026-12283: CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection') in AWS aws-athena-query-federation
Description
Amazon Athena is a serverless, interactive query service that lets you analyze data directly in Amazon S3 using standard SQL. Athena Query Federation is a feature that allows you to connect to data sources outside of Amazon S3 like DynamoDB, Azure Synapse, and custom connectors using standard SQL syntax. Improper neutralization of special elements used in an SQL command in the Synapse connector in Amazon aws-athena-query-federation v2022.20.1 through v2026.19.1 might allow an authenticated remote user to execute injected read-only SQL queries that return unintended data from the connected database via a crafted table name. To remediate this issue, users should upgrade to version v2026.21.1 or later.
CVSS v4.0
Score 6.1medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Amazon Athena's Query Federation feature, specifically the Synapse connector in aws-athena-query-federation versions v2022.20.1 through v2026.19.1, contains an SQL injection vulnerability (CWE-89). This improper neutralization of special elements in SQL commands allows authenticated users to inject read-only SQL queries via crafted table names, potentially exposing unintended data from connected external databases. AWS has addressed this issue in version v2026.21.1 and later.
Potential Impact
An authenticated remote user could exploit this vulnerability to execute injected read-only SQL queries on the connected database through the Synapse connector. This may lead to unauthorized disclosure of data accessible via the injected queries. There is no indication of privilege escalation, data modification, or denial of service. No known exploits in the wild have been reported.
Mitigation Recommendations
AWS manages remediation for this cloud-hosted service. Users should ensure they are using aws-athena-query-federation version v2026.21.1 or later, where this vulnerability is fixed. Check the AWS security advisory at https://aws.amazon.com/security/security-bulletins/2026-059-aws/ for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- AMZN
- Date Reserved
- 2026-06-15T13:56:10.694Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
- Vendor Advisory Urls
- [{"url":"https://aws.amazon.com/security/security-bulletins/2026-059-aws/","vendor":"AWS"}]
Threat ID: 6a5b5eb02d1edb114c7fb372
Added to database: 07/18/2026, 11:08:32 UTC
Last enriched: 07/18/2026, 11:55:10 UTC
Last updated: 07/18/2026, 13:34:55 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.