EUVD-2026-27033
GHSA-8ggj-j522-h5qf
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9Blast Radius
ecosystem impact- 5 maven packages depend on org.apache.polaris:polaris-runtime-service (5 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.4.1.
DescriptionNVD
Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation becomes attacker- directed because the attacker can choose a reachable target location.
In the confirmed variant, if the caller supplies a custom location during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued.
Closely related to that, the staged-create flow also accepts write.data.path / write.metadata.path in the request properties and feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondary to the main custom-location exploit, but they are still attacker-influenced location inputs that should be validated before any credentials are issued.
AnalysisAI
Apache Polaris issues overly-permissive temporary storage credentials during staged table creation, allowing authenticated attackers to redirect vended credentials to attacker-controlled storage locations. The vulnerability stems from missing validation and overlap checks before credential issuance - attackers supply a custom 'location' parameter or 'write.data.path'/'write.metadata.path' properties that become effective immediately without verification. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all Apache Polaris deployments and document current versions; disable or restrict table creation permissions to only trusted administrators pending remediation. Within 7 days: Contact Apache Polaris security team for patch timeline confirmation; implement network-level controls restricting Polaris service accounts from accessing storage locations outside whitelisted paths, and review audit logs for suspicious 'location' parameters or custom write.data.path/write.metadata.path properties in recent table creation requests. …
Sign in for detailed remediation steps.
More from same product – last 7 days
Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve
Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig
Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue
With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vu
Share
External POC / Exploit Code
Leaving vuln.today