Back to overview

CVE-2026-12283

MEDIUM
6.8
CVSS 3.1
Description
Amazon Athena is a serverless, interactive query service that lets you analyze data directly in Amazon S3 using standard SQL. Athena Query Federation is a feature that allows you to connect to data sources outside of Amazon S3 like DynamoDB, Azure Synapse, and custom connectors using standard SQL syntax. Improper neutralization of special elements used in an SQL command in the Synapse connector in Amazon aws-athena-query-federation v2022.20.1 through v2026.19.1 might allow an authenticated remote user to execute injected read-only SQL queries that return unintended data from the connected database via a crafted table name. To remediate this issue, users should upgrade to version v2026.21.1 or later.

Metadata

CVE ID
CVE-2026-12283
State
PUBLISHED
Assigner
AMZN
Reserved
2026-06-15 13:56 UTC
Published
2026-07-17 19:05 UTC
Last updated
2026-07-17 19:43 UTC
Primary CWE
CWE-89
CWE-89 Improper neutralization of special elements used in a…
Vendor / Product
AWS / aws-athena-query-federation
Sources
cve.org  ·  NVD

Severity & Metrics

6.8 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
AWS aws-athena-query-federation v2022.20.1 ≤ v2026.19.1
Weakness (CWE)
CWESourceDescription
CWE-89 cna CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection')
CVSS scores (2)
ScoreSeverityVersionSourceVector
6.8 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
6.1 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
Back to overview