Credential Bypass Vulnerability in Apache Polaris Affecting Google Cloud Storage
CVE-2026-42811

9.4CRITICAL

Key Information:

Vendor: Apache
Status: Apache Polaris
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-42811?

Apache Polaris has a vulnerability that allows improperly scoped Google Cloud Storage (GCS) credentials to be generated, which can inadvertently grant access beyond the intended resource limits. When crafted namespace or table names are used, the system fails to properly escape the identifiers in the Credential Access Boundary (CAB) conditions, leading to broader access rights than intended. This issue was demonstrated in testing with version 1.4.0, where credentials could allow actions such as listing, creating, and deleting objects across multiple tables and even external prefixes within the same bucket. As a result, unauthorized access to sensitive data could be facilitated, potentially exposing all items in the configured storage bucket.

Affected Version(s)

Apache Polaris 0 < 1.4.1

References

https://lists.apache.org/thread/hovn5hmkj9wj7v9cd8sn67svg...

vendor-advisory

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42811 Data

JSON