Security Flaw in Apache Polaris Allows Unauthorized Credential Vending
CVE-2026-42809

9.4CRITICAL

Key Information:

Vendor: Apache
Status: Apache Polaris
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-42809?

Apache Polaris contains a vulnerability that allows attackers to bypass normal validations and issue temporary storage credentials without proper checks. When a custom location is supplied during staged table creation, the system immediately constructs delegated storage credentials based on that location, disregarding essential location validation and overlap checks. Additionally, fields like 'write.data.path' and 'write.metadata.path' can also be manipulated, further compromising the security of data accessibility. This flaw enables attackers to dictate the scope of accessible data, posing a significant risk to data integrity and storage security.

Affected Version(s)

Apache Polaris 0 < 1.4.1

References

https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr4...

vendor-advisory

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42809 Data

JSON