🟠 High | Source: AWS Security Bulletins
A vulnerability (CVE-2026-12283) in the AWS Athena Federated Query Synapse Connector allows a user with access to an Azure Synapse account to create a maliciously named table that, when queried through the Athena connector, could return unintended data. The flaw affects connector versions released between May 2022 and May 2026. This is a cross-cloud attack vector, as exploitation requires an adversarial foothold in Azure Synapse to affect queries executed via AWS Athena.
Security Architect’s Take: Verify whether your Athena deployments use the Synapse federated connector and confirm the updated connector version has been deployed by AWS; additionally, review who holds write access to Azure Synapse schemas that are queryable via Athena, and consider restricting table creation privileges in Synapse to trusted principals only.
Original advisory: CVE-2026-12283 - Issue with Athena Federated Query Synapse Connector