CVE-2026-42809
published 2026-05-04CVE-2026-42809: Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or…
PriorityP262critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.36%
27.4th percentile
Apache Polaris can issue broad temporary ("vended") storage credentials during
staged
table creation before the effective table location has been validated or
durably reserved.
Those temporary credentials are meant to limit the scope
of
accessible table data and metadata, but this scope limitation becomes
attacker-
directed because the attacker can choose a reachable target location.
In the confirmed variant, if the caller supplies a custom `location` during
stage create and requests credential vending, Apache Polaris uses that location to
construct delegated storage credentials immediately. The stage-create path
itself neither runs the normal location validation nor the overlap checks
before those credentials are issued.
Closely related to that, the staged-create flow also accepts
`write.data.path` / `write.metadata.path` in the request properties and
feeds
those location overrides into the same effective table location set used for
credential vending. Those fields are secondary to the main custom-`location`
exploit, but they are still attacker-influenced location inputs that should
be
validated before any credentials are issued.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | polaris | < 1.4.1 | 1.4.1 |
| apache_software_foundation | apache_polaris | < 1.4.1 | 1.4.1 |
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache Polaris has an Improper Input Validation Issue
ghsa·2026-05-04
CVE-2026-42809 [CRITICAL] CWE-20 Apache Polaris has an Improper Input Validation Issue
Apache Polaris has an Improper Input Validation Issue
Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation becomes attacker-directed because the attacker can choose a reachable target location.
In the confirmed variant, if the caller supplies a custom `location` during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued.
Closely rela
GHSA
GHSA-8ggj-j522-h5qf: Apache Polaris can issue broad temporary ("vended") storage credentials during
staged
table creation before the effective table location has been vali
ghsa_unreviewed·2026-05-04
CVE-2026-42809 [CRITICAL] CWE-20 GHSA-8ggj-j522-h5qf: Apache Polaris can issue broad temporary ("vended") storage credentials during
staged
table creation before the effective table location has been vali
Apache Polaris can issue broad temporary ("vended") storage credentials during
staged
table creation before the effective table location has been validated or
durably reserved.
Those temporary credentials are meant to limit the scope
of
accessible table data and metadata, but this scope limitation becomes
attacker-
directed because the attacker can choose a reachable target location.
In the confirmed variant, if the caller supplies a custom `location` during
stage create and requests credential vending, Apache Polaris uses that location to
construct delegated storage credentials immediately. The stage-create path
itself neither runs the normal location validation nor the overlap checks
before those credentials are issued.
Closely related to that, the staged-create flow also accepts
`wr
VulDB
Apache Polaris up to 1.4.0 Staged Table Creation information disclosure
vuldb·2026-05-03
CVE-2026-42809 [LOW] Apache Polaris up to 1.4.0 Staged Table Creation information disclosure
A vulnerability described as problematic has been identified in Apache Polaris up to 1.4.0. Affected is an unknown function of the component Staged Table Creation. The manipulation results in information disclosure.
This vulnerability is identified as CVE-2026-42809. The attack can be executed remotely. There is not any exploit available.
Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-04
Published