CVE-2026-42809

Apache · Polaris

Apache Polaris incorrectly issues temporary storage credentials for staged table creation before validating the target location, allowing attackers to influence credential scope.

Executive summary

Apache Polaris contains a critical flaw in its credential vending process that allows attackers to influence the scope of temporary storage credentials, potentially leading to unauthorized data access.

Vulnerability

The vulnerability involves the improper validation of custom locations during the staged table creation flow. An attacker can provide a target location that is neither validated nor overlap-checked before the application issues temporary, broad storage credentials, enabling access to unauthorized data paths.

Business impact

Successful exploitation allows an attacker to manipulate the scope of storage credentials, leading to potential unauthorized access to sensitive data and metadata stored in the underlying infrastructure. With a CVSS score of 9.9, this vulnerability represents an extreme risk to data integrity and confidentiality within the Apache Polaris environment.

Remediation

Immediate Action: Apply the latest security patches provided by the Apache Software Foundation for Polaris as soon as they become available.

Proactive Monitoring: Audit logs related to table creation and credential requests for unexpected locations or anomalous property inputs such as write.data.path or write.metadata.path.

Compensating Controls: Implement strict IAM policies at the storage layer to limit the scope of credentials generated by Polaris, ensuring they are restricted to known-good bucket paths.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

Given the critical nature of this credential vending vulnerability, administrators should monitor Apache security advisories closely for the release of a patch. Until a fix is applied, limit the ability of untrusted callers to initiate staged table creation or modify location properties.