CVE 9.4 CRITICAL

Apache Polaris: An authenticated low-privileged user can abuse Polaris staged table creation to mint broad temporary storage credentials for an attacker-chosen location before Polaris validates that location_CVE-2026-42809

May 4, 2026 invoker category_cve

9.4 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

Apache Polaris can issue broad temporary ("vended") storage credentials during
staged
table creation before the effective table location has been validated or
durably reserved.
Those temporary credentials are meant to limit the scope
of
accessible table data and metadata, but this scope limitation becomes
attacker-
directed because the attacker can choose a reachable target location.

In the confirmed variant, if the caller supplies a custom `location` during
stage create and requests credential vending, Apache Polaris uses that location to
construct delegated storage credentials immediately. The stage-create path
itself neither runs the normal location validation nor the overlap checks
before those credentials are issued.

Closely related to that, the staged-create flow also accepts
`write.data.path` / `write.metadata.path` in the request properties and
feeds
those location overrides into the same effective table location set used for
credential vending. Those fields are secondary to the main custom-`location`
exploit, but they are still attacker-influenced location inputs that should
be
validated before any credentials are issued.

AI Analysis

Apache Polaris vulnerability allowing an authenticated low-privileged user to abuse staged table creation and obtain broad temporary storage credentials for an attacker-chosen location

Basic Information

ID CVE-2026-42809

Source apache

Published May 4, 2026 at 16:22

Affected Product

Vendor Apache Software Foundation

Product Apache Polaris

Affected Versions Apache Software Foundation Apache Polaris 0

CWE Classification

CWE-862 CWE-20

AI Assessment

AI Score 9.4 / 10

AI Severity Critical

Vendor Apache Software Foundation

Product Apache Polaris

References

lists.apache.org /thread/8tfsr8y7pgq6rdcvjx95hkcr47td671r

{
    "lastseen": "",
    "description": "Apache Polaris can issue broad temporary (\"vended\") storage credentials during\nstaged\ntable creation before the effective table location has been validated or\ndurably reserved. \nThose temporary credentials are meant to limit the scope\nof\naccessible table data and metadata, but this scope limitation becomes\nattacker-\ndirected because the attacker can choose a reachable target location.\n\n\n\nIn the confirmed variant, if the caller supplies a custom `location` during\nstage create and requests credential vending, Apache Polaris uses that location to\nconstruct delegated storage credentials immediately. The stage-create path\nitself neither runs the normal location validation nor the overlap checks\nbefore those credentials are issued.\n\n\n\nClosely related to that, the staged-create flow also accepts\n`write.data.path` / `write.metadata.path` in the request properties and\nfeeds\nthose location overrides into the same effective table location set used for\ncredential vending. Those fields are secondary to the main custom-`location`\nexploit, but they are still attacker-influenced location inputs that should\nbe\nvalidated before any credentials are issued.",
    "published": "2026-05-04T16:22:48.527Z",
    "modified": "2026-05-04T16:22:48.527Z",
    "type": "cve",
    "title": "Apache Polaris: An authenticated low-privileged user can abuse Polaris staged table creation to mint broad temporary storage credentials for an attacker-chosen location before Polaris validates that location",
    "source": "apache",
    "references": "https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671r",
    "id": "CVE-2026-42809",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862",
        "CWE-20"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Polaris 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.4,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Polaris",
    "version": "0",
    "vendor": "Apache Software Foundation",
    "ai_description": "Apache Polaris vulnerability allowing an authenticated low-privileged user to abuse staged table creation and obtain broad temporary storage credentials for an attacker-chosen location",
    "ai_severity": "Critical",
    "ai_vendor": "Apache Software Foundation",
    "ai_product": "Apache Polaris",
    "ai_version": "0",
    "ai_score": 9.4
}

💭 Join the Security Discussion ❌ Cancel Reply