CVE-2026-42809
CriticalSummary
Apache Polaris can issue broad temporary ('vended') storage credentials during staged table creation before the effective table location has been validated or durably reserved. An attacker can choose a reachable target location, leading to unauthorized access to table data and metadata.
Risk Assessment
The organization is at risk of unauthorized access to data, which may result in information leakage or data manipulation. An attacker could exploit this vulnerability to direct credentials to unauthorized locations.
Recommendation
It is recommended to implement additional location validation mechanisms before issuing credentials and to restrict the ability for users to supply custom locations. Monitoring and auditing the use of storage credentials should also be enforced.
Original NVD description (English source)
Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation becomes attacker- directed because the attacker can choose a reachable target location. In the confirmed variant, if the caller supplies a custom `location` during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued. Closely related to that, the staged-create flow also accepts `write.data.path` / `write.metadata.path` in the request properties and feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondar

