CVE-2026-42809

Source
https://cve.org/CVERecord?id=CVE-2026-42809
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42809.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42809
Aliases
Published
2026-05-04T16:22:48.527Z
Modified
2026-07-08T08:12:35.287214064Z
Severity
  • 9.4 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
Apache Polaris: staged table creation could vend storage credentials for unvalidated locations
Details

Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation becomes attacker- directed because the attacker can choose a reachable target location.

In the confirmed variant, if the caller supplies a custom location during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued.

Closely related to that, the staged-create flow also accepts write.data.path / write.metadata.path in the request properties and feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondary to the main custom-location exploit, but they are still attacker-influenced location inputs that should be validated before any credentials are issued.

Database specific
{
    "cna_assigner": "apache",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "1.4.1"
                }
            ]
        }
    ],
    "cwe_ids": [
        "CWE-20",
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42809.json"
}
References

Affected packages

Git / github.com/apache/polaris

Affected ranges

Type
GIT
Repo
https://github.com/apache/polaris
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.4.1"
        }
    ],
    "cpe": "cpe:2.3:a:apache:polaris:*:*:*:*:*:*:*:*"
}

Affected versions

apache-polaris-1.*
apache-polaris-1.4.0
apache-polaris-1.4.0-rc0
apache-polaris-1.4.0-rc1
apache-polaris-1.4.0-rc2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42809.json"