CVE-2026-42809
Published: 04 May 2026
Description
Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but…
more
this scope limitation becomes attacker- directed because the attacker can choose a reachable target location. In the confirmed variant, if the caller supplies a custom `location` during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued. Closely related to that, the staged-create flow also accepts `write.data.path` / `write.metadata.path` in the request properties and feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondary to the main custom-`location` exploit, but they are still attacker-influenced location inputs that should be validated before any credentials are issued.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring an access control policy ensures authorization checks are defined and applied for critical functions.
Reviews of access controls detect missing authorization checks on critical functions or resources.
Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.
Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.
The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.
Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.
Security SummaryAI
CVE-2026-42809 is a critical vulnerability (CVSS 9.9) in Apache Polaris, specifically in the staged table creation process. Polaris issues broad temporary ("vended") storage credentials before validating or durably reserving the effective table location. These credentials are intended to limit access to table data and metadata, but an attacker can supply a custom `location` during stage create and request credential vending, causing Polaris to construct delegated storage credentials based on that unvalidated attacker-controlled location. Related inputs like `write.data.path` and `write.metadata.path` in request properties also feed into the credential scope without prior validation (CWE-20, CWE-862).
The vulnerability enables remote exploitation (AV:N) by low-privilege authenticated users (PR:L/AC:L/UI:N) with changed scope (S:C), leading to high confidentiality, integrity, and availability impacts (C:H/I:H/A:H). An attacker can direct the temporary credentials to any reachable target storage location of their choice, effectively bypassing intended scope limitations and gaining unauthorized broad access to storage for reading or writing data and metadata.
Mitigation details are available in the Apache advisory at https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671r and the oss-security announcement at http://www.openwall.com/lists/oss-security/2026/05/02/10.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability allows low-privilege authenticated users to obtain improperly scoped temporary storage credentials via unvalidated location input, directly enabling privilege escalation (T1068) and subsequent unauthorized access to cloud/object storage data and metadata (T1530).