Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9Blast Radius
ecosystem impact- 5 maven packages depend on org.apache.polaris:polaris-runtime-service (5 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.4.1.
DescriptionCVE.org
In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to read.
write.metadata.path is an optional table property that tells Polaris where to write those metadata files. For a table already registered in a Polaris-managed catalog, changing only that property through an ALTER TABLE-style settings change (not a row-level INSERT, SELECT, UPDATE, or DELETE) bypasses the commit-time branch that is supposed to revalidate storage locations.
The full persisted / credential-vending variant requires the affected catalog to have polaris.config.allow.unstructured.table.location=true, with allowedLocations broad enough to include the attacker-chosen target.
allowedLocations is the admin-configured allowlist of storage paths that the catalog is allowed to use. Public project materials suggest that this flag is a real supported compatibility / layout mode, not just a contrived lab-only prerequisite.
In that configuration, a user who can change table settings can cause Apache Polaris itself to write new table metadata to an attacker-chosen reachable storage location before the intended location-validation branch runs.
If the later concrete-path validation also accepts that location, Polaris persists the resulting metadata path into stored table state. Later table-load and credential APIs can then return temporary cloud-storage credentials for the same location without revalidating it. In plain terms, Polaris can later hand out temporary storage access for the same attacker-chosen area.
That attacker-chosen area does not need to be limited to the poisoned table's own files. If it is a broader storage prefix, another table's prefix, or, depending on configuration or provider behavior, even a bucket/container root, the resulting disclosure or corruption scope can extend to any data and metadata Polaris can reach there.
The practical consequences are therefore similar to the staged-create credential-vending issue already discussed: data and metadata reachable in that storage scope can be exposed and, if write-capable credentials are later issued, modified, corrupted, or removed. Even before that later credential step, Polaris itself performs the metadata write to the unchecked location.
So the core issue is not only later credential vending.
The primary defect is that Polaris skips its intended location checks before performing a security- sensitive metadata write when only write.metadata.path changes.
When polaris.config.allow.unstructured.table.location=false, current code review suggests the later updateTableLike(...) validation usually rejects out-of-tree metadata locations before the unsafe path is persisted. That may reduce the persisted / credential-vending variant, but it does not prevent the underlying defect: Polaris still skips the intended pre-write location check when only write.metadata.path changes.
AnalysisAI
Authenticated attackers with table configuration privileges can bypass storage location validation in Apache Polaris by manipulating the write.metadata.path property during ALTER TABLE operations. This forces Polaris to write metadata files to attacker-controlled storage locations without proper validation, then subsequently issue cloud storage credentials for those locations. The vulnerability enables unauthorized access to and potential corruption of data belonging to other tables within the catalog's allowedLocations scope, particularly when polaris.config.allow.unstructured.table.location=true. EPSS data not available; no public exploit identified at time of analysis.
Technical ContextAI
Apache Polaris is a catalog management service for Apache Iceberg tables that controls access to table metadata and mediates cloud storage credentials. The vulnerability exploits a logic flaw in Polaris's commit validation workflow. When users modify only the write.metadata.path table property (which directs where Iceberg metadata files are written), the alteration bypasses the commit-time validation branch that normally revalidates storage locations against the configured allowedLocations allowlist. The root cause is CWE-863 (Incorrect Authorization), where the authorization check for security-sensitive metadata writes is missing from a specific code path. The vulnerability is most severe when polaris.config.allow.unstructured.table.location=true, which permits tables to use arbitrary storage locations within the allowedLocations scope rather than strictly managed paths. This configuration appears to be a documented compatibility mode rather than an edge case. The CVSS 4.0 vector indicates network-accessible exploitation with low attack complexity requiring only low-level privileges (authenticated user with table modification rights) and no user interaction, resulting in high impact across confidentiality, integrity, and availability in both the vulnerable system and subsequent systems (scope change).
RemediationAI
Consult the Apache security advisory at https://lists.apache.org/thread/wxd2wj3p0smvrk84msv317wg5tp3jtw9 for vendor-released patch details and exact fixed version information (not specified in current data). As an immediate compensating control, set polaris.config.allow.unstructured.table.location=false to disable unstructured table location support, which significantly reduces the persisted credential-vending attack surface, though it does not eliminate the underlying pre-write validation bypass. Review and tighten allowedLocations configurations to minimize the blast radius-restrict paths to the narrowest necessary scope per table or tenant rather than broad bucket-level permissions. Implement additional authorization controls at the cloud storage layer (IAM policies, bucket policies) to enforce defense-in-depth even if Polaris credentials are compromised. Audit existing tables for suspicious write.metadata.path values that point outside expected storage hierarchies. Note that disabling unstructured locations may break compatibility with existing table layouts that rely on custom metadata paths, requiring migration planning. Monitor Polaris access logs for ALTER TABLE operations targeting write.metadata.path properties, especially from users who should not be modifying storage configurations.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27039
GHSA-w76p-3cgp-qfcm