Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.4
CVE-2026-42809: Apache Polaris issues broad temporary storage credentials
CVE-2026-42809
GHSA-8ggj-j522-h5qf
Summary
Apache Polaris can create temporary storage credentials that give an attacker too much access to data. This happens when creating a new table before checking where the data will be stored. To fix this, ensure you validate the storage location before creating temporary credentials.
What to do
- Update org.apache.polaris:polaris-runtime-service to version 1.4.1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| maven | – | org.apache.polaris:polaris-runtime-service |
< 1.4.1 Fix: upgrade to 1.4.1
|
Original title
Apache Polaris has an Improper Input Validation Issue
Original description
Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation becomes attacker-directed because the attacker can choose a reachable target location.
In the confirmed variant, if the caller supplies a custom `location` during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued.
Closely related to that, the staged-create flow also accepts `write.data.path` / `write.metadata.path` in the request properties and
feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondary to the main custom-`location` exploit, but they are still attacker-influenced location inputs that should be validated before any credentials are issued.
In the confirmed variant, if the caller supplies a custom `location` during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued.
Closely related to that, the staged-create flow also accepts `write.data.path` / `write.metadata.path` in the request properties and
feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondary to the main custom-`location` exploit, but they are still attacker-influenced location inputs that should be validated before any credentials are issued.
nvd CVSS3.1
9.9
nvd CVSS4.0
9.4
Vulnerability type
CWE-20
Improper Input Validation
CWE-862
Missing Authorization
- https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671r
- http://www.openwall.com/lists/oss-security/2026/05/02/10
- https://nvd.nist.gov/vuln/detail/CVE-2026-42809
- https://github.com/apache/polaris/commit/c98d610bc8f7ee237b272e01814391838dd6abf...
- https://github.com/apache/polaris/releases/tag/apache-polaris-1.4.1
- https://github.com/advisories/GHSA-8ggj-j522-h5qf
Published: 4 May 2026 · Updated: 28 May 2026 · First seen: 4 May 2026