Cyber Resilience

CVE-2026-42809

Critical

Published: 04 May 2026

Published
04 May 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 27.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-42809 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Apache Polaris. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-42809 is a critical vulnerability (CVSS 9.9) in Apache Polaris, specifically in the staged table creation process. Polaris issues broad temporary ("vended") storage credentials before validating or durably reserving the effective table location. These credentials are intended to limit access to table data and metadata, but an attacker can supply a custom `location` during stage create and request credential vending, causing Polaris to construct delegated storage credentials based on that unvalidated attacker-controlled location. Related inputs like `write.data.path` and `write.metadata.path` in request properties also feed into the credential scope without prior validation (CWE-20, CWE-862).

The vulnerability enables remote exploitation (AV:N) by low-privilege authenticated users (PR:L/AC:L/UI:N) with changed scope (S:C), leading to high confidentiality, integrity, and availability impacts (C:H/I:H/A:H). An attacker can direct the temporary credentials to any reachable target storage location of their choice, effectively bypassing intended scope limitations and gaining unauthorized broad access to storage for reading or writing data and metadata.

Mitigation details are available in the Apache advisory at https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671r and the oss-security announcement at http://www.openwall.com/lists/oss-security/2026/05/02/10.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but…

more

this scope limitation becomes attacker- directed because the attacker can choose a reachable target location. In the confirmed variant, if the caller supplies a custom `location` during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued. Closely related to that, the staged-create flow also accepts `write.data.path` / `write.metadata.path` in the request properties and feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondary to the main custom-`location` exploit, but they are still attacker-influenced location inputs that should be validated before any credentials are issued.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1530 Data from Cloud Storage Collection
Adversaries may access data from cloud storage.
Why these techniques?

Vulnerability allows low-privilege authenticated users to obtain improperly scoped temporary storage credentials via unvalidated location input, directly enabling privilege escalation (T1068) and subsequent unauthorized access to cloud/object storage data and metadata (T1530).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42810Same product: Apache Polaris
CVE-2026-42811Same product: Apache Polaris
CVE-2026-42812Same product: Apache Polaris
CVE-2026-39816Same vendor: Apache
CVE-2026-41044Same vendor: Apache
CVE-2025-23015Same vendor: Apache
CVE-2026-22444Same vendor: Apache
CVE-2026-41293Same vendor: Apache
CVE-2025-48913Same vendor: Apache
CVE-2026-24734Same vendor: Apache

Affected Assets

apache
polaris
≤ 1.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of attacker-supplied inputs like custom location and write paths before using them to construct and issue temporary storage credentials.

prevent

Enforces approved access authorizations by ensuring temporary credentials are only issued for validated table locations, preventing attacker-directed broad storage access.

prevent

Mandates least privilege for processes issuing credentials, limiting the scope of temporary storage access even with unvalidated location inputs.

References