CVE-2026-42809

9.9 CRITICAL
Published: May 04, 2026 Modified: May 12, 2026
View on NVD

Description

Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation becomes attacker- directed because the attacker can choose a reachable target location. In the confirmed variant, if the caller supplies a custom `location` during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued. Closely related to that, the staged-create flow also accepts `write.data.path` / `write.metadata.path` in the request properties and feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondary to the main custom-`location` exploit, but they are still attacker-influenced location inputs that should be validated before any credentials are issued.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671r
Source: security@apache.org
Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/05/02/10
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Third Party Advisory

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.9 / 10.0
EPSS (Exploit Probability)
0.4%
27th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

Affected Vendors

apache