Description
Apache Polaris can issue broad temporary ("vended") storage credentials during
staged
table creation before the effective table location has been validated or
durably reserved.
Those temporary credentials are meant to limit the scope
of
accessible table data and metadata, but this scope limitation becomes
attacker-
directed because the attacker can choose a reachable target location.



In the confirmed variant, if the caller supplies a custom `location` during
stage create and requests credential vending, Apache Polaris uses that location to
construct delegated storage credentials immediately. The stage-create path
itself neither runs the normal location validation nor the overlap checks
before those credentials are issued.



Closely related to that, the staged-create flow also accepts
`write.data.path` / `write.metadata.path` in the request properties and
feeds
those location overrides into the same effective table location set used for
credential vending. Those fields are secondary to the main custom-`location`
exploit, but they are still attacker-influenced location inputs that should
be
validated before any credentials are issued.
Published: 2026-05-04
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Polaris allows an authenticated low‑privileged user to request staged table creation with a custom location or write.data.path/write.metadata.path values. The service immediately generates delegated storage credentials for the requested location before performing normal location validation or overlap checks. This bypasses intended scope restriction, enabling the attacker to obtain unrestricted access to an arbitrary storage location, thereby exposing sensitive data and metadata. The vulnerability is rooted in improper input validation (CWE‑20) and missing authorization checks (CWE‑862).

Affected Systems

The flaw exists in Apache Polaris provided by the Apache Software Foundation. It affects any deployed instance that exposes the stage‑create endpoint to authenticated users, regardless of the specific Polaris version, as no version details were supplied.

Risk and Exploitability

With a CVSS score of 9.4 the vulnerability is considered critical. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Attack requires an authenticated user with low privileges, who can send a stage‑create request containing a chosen storage location. By doing so, the attacker can obtain temporary credentials that grant them full access to the target storage, potentially leading to data exfiltration, modification, or deletion.

Generated by OpenCVE AI on May 4, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to an Apache Polaris release that contains the confirmed fix for credential vending before location validation.
  • If upgrading is not immediately possible, restrict the stage‑create capability or enforce strict validation of the location, write.data.path, and write.metadata.path fields before any credentials are issued.
  • Limit the issuance of temporary storage credentials to approved storage namespaces and apply policy controls that audit and block any credential grants to arbitrary locations.

Generated by OpenCVE AI on May 4, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache polaris
Vendors & Products Apache
Apache polaris

Mon, 04 May 2026 17:30:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 17:15:00 +0000

Type Values Removed Values Added
Title Apache Polaris: An authenticated low-privileged user can abuse Polaris staged table creation to mint broad temporary storage credentials for an attacker-chosen location before Polaris validates that location Apache Polaris: staged table creation could vend storage credentials for unvalidated locations
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation becomes attacker- directed because the attacker can choose a reachable target location. In the confirmed variant, if the caller supplies a custom `location` during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued. Closely related to that, the staged-create flow also accepts `write.data.path` / `write.metadata.path` in the request properties and feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondary to the main custom-`location` exploit, but they are still attacker-influenced location inputs that should be validated before any credentials are issued.
Title Apache Polaris: An authenticated low-privileged user can abuse Polaris staged table creation to mint broad temporary storage credentials for an attacker-chosen location before Polaris validates that location
Weaknesses CWE-20
CWE-862
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Apache Polaris
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-04T16:38:51.761Z

Reserved: 2026-04-30T13:55:36.799Z

Link: CVE-2026-42809

cve-icon Vulnrichment

Updated: 2026-05-04T16:38:51.761Z

cve-icon NVD

Status : Received

Published: 2026-05-04T17:16:26.307

Modified: 2026-05-04T17:16:26.307

Link: CVE-2026-42809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:44:03Z

Weaknesses