Compliance Impact

This vulnerability exposes static and temporary access credentials in cleartext to users with SQL write privileges, leading to unauthorized access to sensitive storage credentials.

Such exposure of sensitive information can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require proper handling and protection of sensitive data and credentials.

Specifically, the improper removal and cleartext storage of sensitive credentials (CWE-212 and CWE-312) violates principles of confidentiality and data security mandated by these regulations.

Therefore, organizations using affected versions of Trino could face compliance risks until the vulnerability is patched by upgrading to version 480 or later.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-34214 is a vulnerability in the Iceberg connector REST catalog used in Trino versions from 439 to before 480. The issue occurs because static credentials (such as access keys) or temporary vended credentials required for object storage access are embedded in cleartext within the serialized query JSON. This query JSON is accessible via the Trino UI or API endpoints. Users who have write privileges at the SQL level on the Iceberg connector can access these query JSON objects and thereby gain unauthorized access to sensitive storage credentials.

The root cause is improper handling of sensitive information, specifically the failure to remove or protect credentials before storage or transfer, classified under CWE-212 and CWE-312. This allows users with relatively low privileges to retrieve sensitive credentials that should be protected.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive static or temporary access credentials for object storage. Any user with SQL write privileges on the Iceberg connector can retrieve these credentials, which could then be used to access or manipulate data stored in the object storage systems.

Although temporary credentials are transient and do not require rotation, their exposure still poses a risk of unauthorized data access. The vulnerability has a high severity score (CVSS 7.7) due to the ease of exploitation over the network, low privilege requirements, and the high confidentiality impact.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if users with SQL write privileges on the Iceberg connector REST catalog can access query JSON objects that contain serialized credentials.

Specifically, you can attempt to retrieve query JSON data via the Trino UI or API endpoints such as /ui/api/query/«query_id» or /v1/query/«query_id» to see if static or temporary credentials are exposed.

Commands or queries to identify this might include using SQL to list or access queries related to Iceberg connector writes and then accessing the corresponding query JSON via API calls.

• Use SQL to identify queries with write privileges on Iceberg connector tables.
• Access the query JSON via API endpoints like: curl -X GET http://<trino-server>/v1/query/<query_id>
• Inspect the returned JSON for embedded static or temporary credentials.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Trino to version 480 or later, where this vulnerability has been patched.

Until the upgrade is applied, restrict SQL write privileges on the Iceberg connector REST catalog to trusted users only, as any user with write access can retrieve sensitive credentials.

Additionally, consider monitoring and auditing access to query JSON endpoints to detect unauthorized attempts to access credentials.

Useful 0 Not Useful 0