A critical vulnerability in Apache Polaris allows unauthorized access to Google Cloud Storage buckets by bypassing credential path restrictions.

This is a credential injection vulnerability where the application fails to properly sanitize user-supplied namespace or table identifiers before incorporating them into Google Cloud Storage (GCS) Credential Access Boundary (CAB) CEL conditions. An authenticated user can inject malicious fragments to broaden credential scope, effectively gaining bucket-wide access.

The ability to elevate limited table-level access to bucket-wide read, write, and delete permissions presents a severe risk to data integrity and confidentiality. Given the CVSS score of 9.9, an attacker could exfiltrate sensitive metadata, manipulate critical configuration files, or destroy storage objects, leading to potential service disruption and significant data loss.

Immediate Action: Upgrade Apache Polaris to the latest patched version immediately to ensure proper CEL condition sanitization.

Proactive Monitoring: Review GCS access logs for anomalous patterns, specifically looking for unauthorized attempts to list or modify objects outside of expected table prefixes.

Compensating Controls: Implement strict IAM policies at the Google Cloud project level to limit the permissions of the service accounts used by Polaris, ensuring they operate under the principle of least privilege.

Public Exploit Available: No

This vulnerability represents a significant architectural failure in how storage credentials are delegated. Organizations utilizing Apache Polaris to manage GCS storage must prioritize the application of security updates. Failure to remediate could allow attackers to bypass intended security boundaries and compromise the entire storage environment.