Introduction
An authenticated user with minimal privileges can trick Apache Polaris into minting temporary storage credentials scoped to any reachable storage location of the attacker's choosing, simply by supplying a crafted location during staged table creation. With a CVSS 3.1 base score of 9.9 and a scope change that extends impact beyond the vulnerable component, this vulnerability represents a serious credential scoping failure in the data catalog's delegated access model.
Apache Polaris is an open source, fully featured catalog for managing tabular data, commonly used in modern data lakehouse architectures. It serves as the reference implementation of the Apache Iceberg REST Catalog specification and is bundled by downstream vendors such as Dremio in their Open Catalog offering. Its role as a central authority for table metadata and credential delegation makes vulnerabilities in its access control logic particularly consequential.
Technical Information
Root Cause
CVE-2026-42809 arises from two intersecting weaknesses in the staged table creation workflow of Apache Polaris: improper input validation (CWE-20) and missing authorization (CWE-862). When a client initiates a staged table creation and requests credential vending, Polaris is designed to issue temporary ("vended") storage credentials that are scoped to the table's effective location. The intent is to limit what data and metadata the holder of those credentials can access.
The flaw is that the stage create code path issues these delegated storage credentials before the effective table location has been validated or durably reserved. Critically, the caller can supply their own location parameter, and Polaris uses that attacker supplied value to construct the credential scope immediately. The normal location validation logic and overlap checks that would ordinarily prevent a user from specifying an arbitrary storage path are simply not executed before the credentials are handed back.
CVSS Scoring
The severity is reflected in both scoring frameworks:
| Framework | Vector | Score |
|---|---|---|
| CVSS 3.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 9.9 |
| CVSS 4.0 | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H | 9.4 |
The scope change (S:C in CVSS 3.1) is significant here: the vulnerability in the Polaris catalog component allows the attacker to affect resources in the underlying storage layer, which is a separate authorization boundary.
Exploit Path 1: Custom Location with Credential Vending
This is the primary confirmed variant. The attack flow proceeds as follows:
- An authenticated user with low privileges (sufficient to create staged tables) sends a stage create request to the Polaris REST API.
- The request includes a custom
locationparameter pointing to an attacker chosen storage path, such as a path containing sensitive data belonging to another table or namespace. - The request also enables credential vending, asking Polaris to return temporary storage credentials.
- Polaris constructs delegated storage credentials scoped to the attacker supplied location and returns them in the response.
- The stage create path does not run the normal location validation or overlap checks before issuing these credentials.
- The attacker now holds valid temporary credentials (for example, scoped AWS STS tokens or GCS access tokens) that grant read and write access to the target location.
Because the attacker chooses the location, the "scope limitation" that is supposed to restrict credentials to a single table's data becomes entirely attacker directed.
Exploit Path 2: Write Path Property Overrides
The staged create flow also accepts write.data.path and write.metadata.path in the request properties. Polaris feeds these location overrides into the same effective table location set used for credential vending. While secondary to the main custom location exploit, these fields provide additional attacker influenced location inputs that bypass validation before credentials are issued.
An attacker could use these properties either independently or in combination with the custom location parameter to broaden the scope of the vended credentials further, potentially gaining access to metadata storage paths that would otherwise be restricted.
Impact
The consequences of successful exploitation are threefold:
Confidentiality: The attacker obtains temporary credentials scoped to arbitrary storage locations, enabling unauthorized reads of sensitive data across the connected object storage.
Integrity: The same credentials grant write access, allowing the attacker to modify or corrupt data and metadata at the target location.
Availability: Misuse of metadata and data write capabilities before validation occurs can lead to operational disruptions or corruption of the storage environment.
Detection Opportunities
Organizations should monitor request logs for stage create calls that set location, write.data.path, or write.metadata.path properties while simultaneously enabling credential vending. Anomalous storage access patterns to nonstandard locations using temporary credentials may indicate active exploitation attempts.
Affected Systems and Versions
All versions of Apache Polaris prior to 1.4.1 are affected. The fix is included in Apache Polaris 1.4.1, available on Maven Central and Docker Hub.
Downstream products that bundle Apache Polaris are also impacted. Dremio, which utilizes the Polaris catalog in its Open Catalog feature, released version 26.1.7 in May 2026 to address CVE-2026-42809 and three related Polaris vulnerabilities.
Organizations should enumerate all services and applications that expose the Apache Polaris staged create and credential vending functionalities, including any downstream dependencies that may require separate patching.
Vendor Security History
The release of Apache Polaris 1.4.1 addresses a pattern of delegated credential scoping flaws, fixing four distinct security issues simultaneously:
| CVE ID | Issue Summary | Fix Version |
|---|---|---|
| CVE-2026-42809 | Staged table creation mints broad credentials before location validation | 1.4.1 |
| CVE-2026-42810 | Accepts literal * characters in namespace and table names, reused unescaped in S3 IAM resource patterns and s3:prefix conditions | 1.4.1 |
| CVE-2026-42811 | Crafted namespace or table names broaden GCS credentials to work across the configured bucket instead of one table | 1.4.1 |
| CVE-2026-42812 | No protection on write.metadata.path, allowing unauthorized metadata writes | 1.4.1 |
These four vulnerabilities highlight a systemic risk class around delegated access control and credential scoping within the 1.4.0 line of Apache Polaris. The cluster of related issues suggests that the credential vending subsystem had not been subjected to adversarial review of its input handling prior to these disclosures.
