CVE-2026-34214

High

Published: 31 March 2026

Published

31 March 2026

Modified

06 April 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.0002 4.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34214 is a high-severity Improper Removal of Sensitive Information Before Storage or Transfer (CWE-212) vulnerability in Trino Trino. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Steal Application Access Token (T1528). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation by upgrading Trino to version 480 or later directly eliminates the exposure of Iceberg connector credentials to SQL write-privileged users.

AC-6 Least Privilege good match

prevent

Least privilege ensures SQL-level write access does not grant unauthorized visibility into static or temporary credentials used by the Iceberg REST catalog.

AC-3 Access Enforcement good match

prevent

Access enforcement mechanisms restrict low-privilege users from retrieving sensitive credentials via the Iceberg connector despite having SQL write privileges.

MITRE ATT&CK Enterprise TechniquesAI

T1528 Steal Application Access Token Credential Access

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

attack.mitre.org →

Why these techniques?

The vulnerability directly exposes static and vended access keys/credentials from the Iceberg REST catalog to low-privilege SQL users, enabling adversaries to steal application access tokens/credentials for unauthorized access to remote resources.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Trino is a distributed SQL query engine for big data analytics. From version 439 to before version 480, Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege…

on SQL level. This issue has been patched in version 480.

Deeper analysisAI

CVE-2026-34214 is a vulnerability in Trino, a distributed SQL query engine for big data analytics. It affects versions 439 through 479, where the Iceberg connector's REST catalog exposes static credentials (access key) or vended credentials (temporary access key) to users with write privileges at the SQL level. The issue, published on 2026-03-31, carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and is associated with CWE-212 (Improper Removal of Sensitive Information) and CWE-312 (Cleartext Storage of Sensitive Information).

Users with low-privilege write access on the SQL level can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation grants access to the credentials, resulting in high confidentiality impact within a changed scope, without affecting integrity or availability.

Trino has patched the vulnerability in version 480. Security practitioners should upgrade to this version or later. Additional details are available in the release notes at https://github.com/trinodb/trino/releases/tag/480 and the security advisory at https://github.com/trinodb/trino/security/advisories/GHSA-x27p-5f68-m644.