Trino: Iceberg REST catalog static and vended credentials are accessible...

7.7 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Description

Trino is a distributed SQL query engine for big data analytics. From version 439 to before version 480, Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level. This issue has been patched in version 480.

Basic Information

ID CVE-2026-34214

Source GitHub_M

Published Mar 31, 2026 at 14:14

Modified Mar 31, 2026 at 14:28

Affected Product

Vendor trinodb

Product trino

Version >= 439, < 480

Affected Versions trinodb trino >= 439, < 480

CWE Classification

CWE-212 CWE-312

References

{
    "lastseen": "",
    "description": "Trino is a distributed SQL query engine for big data analytics. From version 439 to before version 480, Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level. This issue has been patched in version 480.",
    "published": "2026-03-31T14:14:47.982Z",
    "modified": "2026-03-31T14:28:53.287Z",
    "type": "cve",
    "title": "Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON",
    "source": "GitHub_M",
    "references": "https://github.com/trinodb/trino/security/advisories/GHSA-x27p-5f68-m644\nhttps://github.com/trinodb/trino/releases/tag/480",
    "id": "CVE-2026-34214",
    "bulletinFamily": "",
    "cwe": [
        "CWE-212",
        "CWE-312"
    ],
    "cvelist": null,
    "sourceData": "trinodb trino >= 439, < 480",
    "sourceHref": "",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "trino",
    "version": ">= 439, < 480",
    "vendor": "trinodb",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON_CVE-2026-34214