CVE-2026-42809 in Polarisinformação

Sumário

de MITRE • 04/05/2026

Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation becomes attacker- directed because the attacker can choose a reachable target location.



In the confirmed variant, if the caller supplies a custom `location` during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued.



Closely related to that, the staged-create flow also accepts `write.data.path` / `write.metadata.path` in the request properties and feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondary to the main custom-`location` exploit, but they are still attacker-influenced location inputs that should be validated before any credentials are issued.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Divulgação

04/05/2026

Moderação

aceite

Entrada

VDB-360877

CPE

pronto

EPSS

0.00095

KEV

não

Atividades

muito baixo

Fontes

MITREhttps://www.cve.org/CVERecord?id=CVE-2026-42809
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-42809
CVE Detailshttps://www.cvedetails.com/cve/CVE-2026-42809/

VoltarVisão GeralPróximo

Interested in the pricing of exploits?

See the underground prices here!