Metadata File Vulnerability in Apache Iceberg by Apache Software Foundation
CVE-2026-42812

9.4CRITICAL

Key Information:

Vendor: Apache
Status: Apache Polaris
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-42812?

Apache Iceberg's vulnerable configuration allows a user to alter table settings to write metadata files to an arbitrary location, circumventing essential location checks. If certain conditions are met, this can lead to unauthorized access to sensitive data stored in the affected locations. By manipulating the write.metadata.path property, attackers can control where metadata is stored, potentially compromising data integrity and confidentiality, as the system may issue temporary storage credentials without rigorous validation. This flaw persists even when polaris.config.allow.unstructured.table.location is disabled, revealing core weaknesses in the table setting change validation process.

Affected Version(s)

Apache Polaris 0 < 1.4.1

References

https://lists.apache.org/thread/wxd2wj3p0smvrk84msv317wg5...

vendor-advisory

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42812 Data

JSON