CVE-2026-42809
Description
Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation becomes attacker- directed because the attacker can choose a reachable target location.
In the confirmed variant, if the caller supplies a custom location during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued.
Closely related to that, the staged-create flow also accepts write.data.path / write.metadata.path in the request properties and feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondary to the main custom-location exploit, but they are still attacker-influenced location inputs that should be validated before any credentials are issued.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.polaris:polaris-runtime-serviceMaven | < 1.4.1 | 1.4.1 |
Affected products
2Patches
Vulnerability mechanics
References
6- www.openwall.com/lists/oss-security/2026/05/02/10nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-8ggj-j522-h5qfghsaADVISORY
- lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671rnvdMailing ListVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-42809ghsaADVISORY
- github.com/apache/polaris/commit/c98d610bc8f7ee237b272e01814391838dd6abf9ghsaWEB
- github.com/apache/polaris/releases/tag/apache-polaris-1.4.1ghsaWEB
News mentions
0No linked articles in our index yet.