CVE-2026-42812
CriticalSummary
In Apache Iceberg, changing the `write.metadata.path` property in a table registered in a Polaris-managed catalog can bypass the storage location revalidation mechanism. This allows for potential unauthorized changes to the table's metadata.
Risk Assessment
Organizations may be exposed to unauthorized data access and metadata manipulation, which can lead to serious security breaches and data integrity issues.
Recommendation
It is recommended that administrators set `polaris.config.allow.unstructured.table.location` to `false` and carefully review and restrict the allowlist of storage paths (`allowedLocations`).
Original NVD description (English source)
In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to read. `write.metadata.path` is an optional table property that tells Polaris where to write those metadata files. For a table already registered in a Polaris-managed catalog, changing only that property through an `ALTER TABLE`-style settings change (not a row-level `INSERT`, `SELECT`, `UPDATE`, or `DELETE`) bypasses the commit-time branch that is supposed to revalidate storage locations. The full persisted / credential-vending variant requires the affected catalog to have `polaris.config.allow.unstructured.table.location=true`, with `allowedLocations` broad enough to include the attacker-chosen target. `allowedLocations` is the admin-configured allowlist of storage paths that the catalog is allowed to use. Public project materials suggest that this flag is a real supported compatibility / layout mode, not just a contrived lab-only pr

