🟠 High  |  Source: AWS Security Bulletins


A vulnerability (CVE-2026-12283) in the AWS Athena Federated Query Synapse Connector allows a user with access to an Azure Synapse account to create a maliciously named table that, when queried through the Athena connector, could return unintended data. The flaw affects connector versions released between May 2022 and May 2026. This is a cross-cloud attack vector, as exploitation requires an adversarial foothold in Azure Synapse to affect queries executed via AWS Athena.

Security Architect’s Take: Verify whether your Athena deployments use the Synapse federated connector and confirm the updated connector version has been deployed by AWS; additionally, review who holds write access to Azure Synapse schemas that are queryable via Athena, and consider restricting table creation privileges in Synapse to trusted principals only.

Original advisory: CVE-2026-12283 - Issue with Athena Federated Query Synapse Connector