Skip to main content

Apache Polaris CVE-2026-42809

| EUVDEUVD-2026-27033 CRITICAL
Missing Authorization (CWE-862)
2026-05-04 apache GHSA-8ggj-j522-h5qf
9.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

9
Patch available
May 04, 2026 - 18:32 EUVD
Analysis Updated
May 04, 2026 - 17:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 04, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
May 04, 2026 - 17:22 NVD
9.9 (CRITICAL) 9.4 (CRITICAL)
Patch released
May 04, 2026 - 17:16 nvd
Patch available
Analysis Generated
May 04, 2026 - 17:02 vuln.today
EUVD ID Assigned
May 04, 2026 - 16:30 euvd
EUVD-2026-27033
Analysis Generated
May 04, 2026 - 16:30 vuln.today
CVE Published
May 04, 2026 - 16:22 nvd
CRITICAL 9.4

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 maven packages depend on org.apache.polaris:polaris-runtime-service (5 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.4.1.

DescriptionCVE.org

Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation becomes attacker- directed because the attacker can choose a reachable target location.

In the confirmed variant, if the caller supplies a custom location during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued.

Closely related to that, the staged-create flow also accepts write.data.path / write.metadata.path in the request properties and feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondary to the main custom-location exploit, but they are still attacker-influenced location inputs that should be validated before any credentials are issued.

AnalysisAI

Apache Polaris issues overly-permissive temporary storage credentials during staged table creation, allowing authenticated attackers to redirect vended credentials to attacker-controlled storage locations. The vulnerability stems from missing validation and overlap checks before credential issuance - attackers supply a custom 'location' parameter or 'write.data.path'/'write.metadata.path' properties that become effective immediately without verification. This enables unauthorized access to arbitrary storage resources beyond intended table boundaries, with CVSS 9.4 severity indicating high impact across confidentiality, integrity, and availability of both vulnerable and subsequent systems.

Technical ContextAI

Apache Polaris is a cloud-native catalog service for Apache Iceberg tables that manages metadata and issues temporary cloud storage credentials (likely AWS STS, Azure SAS, or GCP signed URLs) to limit data access scope. The vulnerability occurs in the staged table creation workflow where Polaris constructs delegated credentials using attacker-supplied location parameters before executing normal validation routines. This affects the credential vending mechanism that should enforce least-privilege access boundaries. The root cause is CWE-862 (Missing Authorization) - the system fails to verify authorization constraints on the storage location before issuing access tokens. The staged-create code path bypasses both location validation logic and overlap detection that would normally prevent credentials from accessing unintended storage prefixes or buckets.

RemediationAI

Apply the vendor-released patch detailed in Apache advisory https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671r immediately. Upgrade Apache Polaris to the fixed version specified in the advisory which implements proper location validation and overlap checks before credential issuance. Until patching is complete, implement these compensating controls: (1) Restrict Polaris user permissions to disable staged table creation functionality if not operationally required - this eliminates the vulnerable code path but prevents legitimate use of staging workflows; (2) Deploy cloud IAM boundary policies on the service account used by Polaris to limit maximum scope of vended credentials to known-good storage prefixes, reducing blast radius if exploitation occurs but may cause false positives for legitimate multi-bucket catalogs; (3) Enable detailed cloud storage access logging and monitor for credential usage patterns accessing unexpected buckets or paths outside normal table locations - adds detection capability but does not prevent exploitation. Review audit logs for suspicious staged table creation requests with custom location parameters between initial deployment and patch application.

Share

CVE-2026-42809 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy