CVE-2026-42809

Name of the Vulnerable Software and Affected Versions Apache Polaris (affected versions not specified)

Description Apache Polaris issues broad temporary storage credentials during staged table creation before validating or reserving the effective table location. This allows an attacker to direct the scope of accessible table data and metadata by choosing a reachable target location. Specifically, if a caller provides a custom location during stage create and requests credential vending, the system constructs delegated storage credentials immediately without performing normal location validation or overlap checks. Additionally, the staged-create flow accepts write.data.path and write.metadata.path in request properties, which act as location overrides and are used for credential vending without prior validation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.