CVE-2026-42809

EPSS 0.1%
Veröffentlicht 04.05.2026 16:22:48
Zuletzt bearbeitet 12.05.2026 13:28:35
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Polaris: staged table creation could vend storage credentials for unvalidated locations

Apache Polaris can issue broad temporary ("vended") storage credentials during
staged
table creation before the effective table location has been validated or
durably reserved. 
Those temporary credentials are meant to limit the scope
of
accessible table data and metadata, but this scope limitation becomes
attacker-
directed because the attacker can choose a reachable target location.



In the confirmed variant, if the caller supplies a custom `location` during
stage create and requests credential vending, Apache Polaris uses that location to
construct delegated storage credentials immediately. The stage-create path
itself neither runs the normal location validation nor the overlap checks
before those credentials are issued.



Closely related to that, the staged-create flow also accepts
`write.data.path` / `write.metadata.path` in the request properties and
feeds
those location overrides into the same effective table location set used for
credential vending. Those fields are secondary to the main custom-`location`
exploit, but they are still attacker-influenced location inputs that should
be
validated before any credentials are issued.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Polaris Version < 1.4.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.261

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@apache.org	9.4	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
security@apache.org	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671r

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/02/10

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-42809

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-42809

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-42809

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-42809