Wildcard Vulnerability in Apache Polaris Affects AWS S3 Access Control
CVE-2026-42810

9.4CRITICAL

Key Information:

Vendor: Apache
Status: Apache Polaris
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-42810?

Apache Polaris contains a vulnerability where it accepts literal * characters in namespace and table names, leading to improper handling of S3 IAM resource patterns and s3:prefix conditions. This flaw allows temporary credentials generated for one table to inadvertently enable access to another table’s S3 storage paths, resulting in unauthorized data access and modification. Specifically, crafted table names like f*.t1, f*.*, *.*, and foo.* can result in an attacker reading the metadata control files of other tables, listing their exact S3 prefixes, and even creating or deleting objects within unauthorized locations. This issue poses significant risks, as it compromises both the confidentiality and integrity of the data stored in S3.

Affected Version(s)

Apache Polaris 0 < 1.4.1

References

https://lists.apache.org/thread/gg3qq9sqg4hdjmprqy46p40xm...

vendor-advisory

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42810 Data

JSON