CVE-2026-42810

Name of the Vulnerable Software and Affected Versions Apache Polaris version 1.4.0

Description Apache Polaris allows the use of literal * characters in namespace and table names. These characters are reused unescaped in S3 IAM resource patterns and s3:prefix conditions when building temporary S3 access policies for delegated table access. Since S3 IAM policy matching treats * as a wildcard, temporary credentials issued for a crafted table can match the storage path of a different table. This allows an attacker to read another table's metadata control files, list S3 table prefixes, and, if write delegation is granted, create or delete objects under another table's S3 prefix. This issue can be exploited even if the attacker has minimal permissions, such as namespace-scoped TABLE CREATE and TABLE WRITE DATA on *, enabling unauthorized access to data and metadata of other tables.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.