GHSA-x27p-5f68-m644

Source

https://github.com/advisories/GHSA-x27p-5f68-m644

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-x27p-5f68-m644/GHSA-x27p-5f68-m644.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x27p-5f68-m644

Aliases

CVE-2026-34214

Related

CGA-ww5p-v89c-342v

Published

2026-03-29T15:13:30Z

Modified

2026-03-30T18:29:16.287531Z

Severity

7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON

Details

Summary

Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level.

Details

Iceberg REST catalog typically needs access to object storage. This access can be configured in multiple different ways. When storage access is achieved by static credentials (e.g. AWS S3 access key) or vended credentials (temporary access key).

Query JSON is a query visualization and performance troubleshooting facility. It includes serialized query plan and handles for table writes or execution of table procedures. A user that submitted a query has access to query JSON for their query. Query JSON is available from Trino UI or via /ui/api/query/«query_id» and /v1/query/«query_id» endpoints.

The storage credentials are stored in those handles when performing write operations, or table maintenance operations. They are serialized in query JSON. A user with write access to data in Iceberg connector configured to use REST Catalog with static or vended credentials can retrieve those credentials.

Impact

Anyone using Iceberg REST catalog with static or vended credentials is impacted. The credentials should be considered compromised. Vended credentials are temporary in nature so they do not need to be rotated. However, underlying data could have been exposed.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-212",
        "CWE-312"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2026-03-29T15:13:30Z",
    "severity": "HIGH"
}

References

Affected packages

Maven / io.trino:trino-iceberg

Package

Name: io.trino:trino-iceberg; View open source insights on deps.dev
Purl: pkg:maven/io.trino/trino-iceberg

Affected ranges

Type: ECOSYSTEM
Events: Introduced

439

Fixed

480

Affected versions

Other

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

478

479

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-x27p-5f68-m644/GHSA-x27p-5f68-m644.json"