Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7Blast Radius
ecosystem impact- 23 maven packages depend on org.apache.polaris:polaris-core (17 direct, 6 indirect)
Ecosystem-wide dependent count for version 1.4.1.
DescriptionCVE.org
Apache Polaris accepts literal * characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those same characters appear to be reused unescaped in S3 IAM resource patterns and s3:prefix conditions.
In S3 IAM policy matching, * is treated as a wildcard rather than as ordinary text. That means temporary credentials issued for one crafted table can match the storage path of a different table.
In private testing against Polaris 1.4.0 using Polaris' AWS S3 temporary- credential path on both MinIO and real AWS S3, credentials returned for crafted tables such as f*.t1, f*.*, *.*, and foo.* could reach other tables' S3 locations.
The confirmed behavior includes:
- reading another table's metadata control file ([Iceberg metadata JSON]);
- listing another table's exact S3 table prefix ([table prefix]);
- and, when write delegation was returned for the crafted table, creating
and deleting an object under another table's exact S3 table prefix.
A control case using ordinary different names did not allow the same cross-table access.
A least-privilege AWS S3 variant was also confirmed in which the attacker principal had no Polaris permissions on the victim table and only the minimal permissions required to create and use a crafted wildcard table (namespace-scoped TABLE_CREATE and TABLE_WRITE_DATA on *). In that setup, direct Polaris access to foo.t1 remained forbidden, but the attacker could still create and load *.*, receive delegated S3 credentials, and use those credentials to list, read, create, and delete objects under foo.t1.
In Iceberg, the metadata JSON file is a control file: it tells readers which data files belong to the table, which snapshots exist, and which table version to read. So unauthorized access to it is already a meaningful confidentiality problem. The confirmed write-capable variant means the issue is not limited to disclosure.
AnalysisAI
Wildcard injection in Apache Polaris table names allows authenticated users to escalate privileges and access unauthorized S3 data across tables. By creating tables with literal asterisk characters (e.g., 'f*.t1', '*.*'), attackers bypass IAM policy scoping and obtain temporary S3 credentials that match other tables' storage paths. Confirmed exploitation scenarios include reading Iceberg metadata control files, listing table prefixes, and creating/deleting objects in victim tables' S3 locations - even when the attacker lacks direct Polaris permissions on those tables. Private testing confirmed this on both MinIO and AWS S3 against Polaris 1.4.0. The CVSS 9.4 (Critical) reflects network-accessible exploitation requiring only low privileges (namespace-scoped TABLE_CREATE), with high confidentiality, integrity, and availability impact across system and subsequent components. No public exploit code or CISA KEV listing identified at time of analysis, but the Apache advisory provides detailed attack mechanics.
Technical ContextAI
Apache Polaris is a catalog service for Apache Iceberg table format, managing metadata and delegating temporary S3 credentials for data access. The vulnerability stems from improper neutralization of special elements (CWE-116) when constructing S3 IAM policies. Polaris accepts literal asterisk characters in namespace and table names without escaping them when building IAM resource patterns and s3:prefix conditions. In AWS IAM policy language, asterisks function as wildcards matching zero or more characters. When Polaris generates temporary credentials with resource patterns like 'arn:aws:s3:::bucket/f*.t1/*', the IAM service interprets this as matching any table starting with 'f' (e.g., 'foo.t1'), rather than a literal table named 'f*.t1'. This allows privilege escalation where credentials scoped to one crafted table name inadvertently grant access to multiple real tables. The affected component is Polaris' AWS S3 temporary-credential delegation path, confirmed on version 1.4.0. The CPE string indicates all versions of Apache Polaris prior to the fix are vulnerable. Iceberg metadata JSON files serve as control documents defining table schemas, snapshots, and data file locations, making unauthorized read/write access particularly dangerous for data integrity and confidentiality.
RemediationAI
Apply the vendor-released patch immediately upon availability from the Apache Polaris project. Monitor the Apache security advisory at https://lists.apache.org/thread/gg3qq9sqg4hdjmprqy46p40xmln61dm9 for patch release announcements and upgrade instructions. Until patching is feasible, implement these compensating controls with noted trade-offs: (1) Enforce strict input validation on table and namespace names to reject any special characters including asterisks, underscores, or percent signs - this may break existing workflows using non-alphanumeric names; (2) Implement namespace-level IAM policy reviews to identify and quarantine tables with suspicious wildcard patterns in their names; (3) Restrict TABLE_CREATE permissions to trusted administrative principals only, removing self-service table creation capabilities - this significantly impacts developer productivity in multi-tenant environments; (4) Deploy S3 bucket policies with explicit Deny statements for resource patterns containing wildcards, though this may conflict with legitimate Polaris operations; (5) Enable S3 CloudTrail logging and alert on credential usage patterns where a single credential set accesses multiple distinct table prefixes. Note that none of these mitigations fully prevent exploitation if attackers already possess namespace-scoped TABLE_CREATE privileges.
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27035
GHSA-vxgg-mqx2-3w59