CVE-2026-34214 - Vulnerability Details

- Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON

Description

Trino is a distributed SQL query engine for big data analytics. From version 439 to before version 480, Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level. This issue has been patched in version 480.

Published: 2026-03-31

Score: 7.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability allows users who have write privilege on SQL queries to read the REST catalog configuration of the Iceberg connector in Trino. The configuration contains either a static access key or a temporary, vended access key. An attacker who can submit a write query can therefore obtain the key through the JSON returned by the query. The stolen key can give the attacker unauthorized access to the underlying data lake or cloud storage, enabling data exfiltration or further compromise of the platform. The weakness is represented by CWE‑212 and CWE‑312.

Affected Systems

Trino, the distributed SQL engine from Trinodb. The affected product is the Iceberg connector’s REST catalog configuration. Versions starting from 439 up to but not including 480 are vulnerable. All deployments relying on these versions carry the risk.

Risk and Exploitability

The CVSS score is 7.7, indicating a high potential impact. The EPSS score is below 1%, suggesting a low probability of exploitation in the wild today, and the vulnerability has not been identified in the CISA KEV catalog. The likely attack vector requires that the attacker can execute write‑level SQL queries within the Trino environment. If such privileges exist, credential disclosure is straightforward, making remediation a priority.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

trinodb

trino

affected

Version	Status	Constraints
`>= 439, < 480`	affected	—

Configuration 1 [-]

cpe:2.3:a:trino:trino:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Trinodb

Trino

100%

Version	Status	Scheme	Platform
`[439,480)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Trino to version 480 or later to receive the patch that removes the credential exposure.
If upgrading immediately is not possible, limit SQL write privileges in the environment to trusted users only.
Review and tighten Iceberg connector configuration to remove or encrypt stored credentials where feasible.
Verify all privileged users and audit access controls to reduce the attack surface.

Generated by OpenCVE AI on April 6, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-x27p-5f68-m644	Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/trinodb/trino/releases/tag/480
https://github.com/trinodb/trino/security/advisories/GHSA-x27p-5f68-m644

History

Mon, 06 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Trino Trino trino
CPEs		cpe:2.3:a:trino:trino::::::::
Vendors & Products		Trino Trino trino

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Trinodb Trinodb trino
Vendors & Products		Trinodb Trinodb trino

Tue, 31 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 31 Mar 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description		Trino is a distributed SQL query engine for big data analytics. From version 439 to before version 480, Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level. This issue has been patched in version 480.
Title		Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON
Weaknesses		CWE-212 CWE-312
References		https://github.com/trinodb/trino/releases/tag/480 https://github.com/trinodb/trino/security/advisories/GHSA-x27p-5f68-m644
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

Trino Trino

Trinodb Trino

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-31T14:14:47.982Z

Updated: 2026-03-31T14:28:53.287Z

Reserved: 2026-03-26T15:57:52.324Z

Link: CVE-2026-34214

Vulnrichment

Updated: 2026-03-31T14:28:49.762Z

NVD

Status : Analyzed

Published: 2026-03-31T15:16:18.400

Modified: 2026-04-06T16:53:34.467

Link: CVE-2026-34214

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-07T08:08:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object