CVE-2026-42809
Apache · Polaris
Apache Polaris incorrectly issues temporary storage credentials for staged table creation before validating the target location, allowing attackers to influence credential scope.
Executive summary
Apache Polaris contains a critical flaw in its credential vending process that allows attackers to influence the scope of temporary storage credentials, potentially leading to unauthorized data access.
Vulnerability
The vulnerability involves the improper validation of custom locations during the staged table creation flow. An attacker can provide a target location that is neither validated nor overlap-checked before the application issues temporary, broad storage credentials, enabling access to unauthorized data paths.
Business impact
Successful exploitation allows an attacker to manipulate the scope of storage credentials, leading to potential unauthorized access to sensitive data and metadata stored in the underlying infrastructure. With a CVSS score of 9.9, this vulnerability represents an extreme risk to data integrity and confidentiality within the Apache Polaris environment.
Remediation
Immediate Action: Apply the latest security patches provided by the Apache Software Foundation for Polaris as soon as they become available.
Proactive Monitoring: Audit logs related to table creation and credential requests for unexpected locations or anomalous property inputs such as write.data.path or write.metadata.path.
Compensating Controls: Implement strict IAM policies at the storage layer to limit the scope of credentials generated by Polaris, ensuring they are restricted to known-good bucket paths.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
Given the critical nature of this credential vending vulnerability, administrators should monitor Apache security advisories closely for the release of a patch. Until a fix is applied, limit the ability of untrusted callers to initiate staged table creation or modify location properties.