CVE-2026-42809
Temporary Storage Credential Issuance in Apache Polaris
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | polaris | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to obtain broad temporary storage credentials before the effective table location is validated or reserved, potentially granting unauthorized access to sensitive data.
Such unauthorized access to data could lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls on data access and protection of personal and sensitive information.
Because the attacker can influence the scope of accessible data, this flaw undermines the principle of least privilege and could result in non-compliance with these regulations.
Can you explain this vulnerability to me?
This vulnerability in Apache Polaris involves the issuance of broad temporary storage credentials during staged table creation before the table location has been properly validated or reserved.
The temporary credentials are intended to limit access to specific table data and metadata, but due to insufficient validation, an attacker can supply a custom location and cause Apache Polaris to issue credentials scoped to that attacker-chosen location.
The vulnerability arises because the stage-create process does not perform normal location validation or overlap checks before issuing delegated storage credentials, allowing attackers to influence the scope of these credentials.
Additionally, attacker-controlled properties like write.data.path and write.metadata.path can also influence the effective table location used for credential vending, further expanding the attack surface.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to obtain temporary storage credentials with broader access than intended.
Because the attacker can specify the location for which credentials are issued, they may gain unauthorized access to data and metadata in storage locations they should not be able to reach.
This can lead to data exposure, unauthorized data modification, or other malicious actions within the storage system.