CVE-2026-42809
Published: 04 May 2026
Summary
CVE-2026-42809 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Apache Polaris (inferred from references). Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of attacker-supplied inputs like custom location and write paths before using them to construct and issue temporary storage credentials.
Enforces approved access authorizations by ensuring temporary credentials are only issued for validated table locations, preventing attacker-directed broad storage access.
Mandates least privilege for processes issuing credentials, limiting the scope of temporary storage access even with unvalidated location inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability allows low-privilege authenticated users to obtain improperly scoped temporary storage credentials via unvalidated location input, directly enabling privilege escalation (T1068) and subsequent unauthorized access to cloud/object storage data and metadata (T1530).
NVD Description
Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but…
more
this scope limitation becomes attacker- directed because the attacker can choose a reachable target location. In the confirmed variant, if the caller supplies a custom `location` during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued. Closely related to that, the staged-create flow also accepts `write.data.path` / `write.metadata.path` in the request properties and feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondary to the main custom-`location` exploit, but they are still attacker-influenced location inputs that should be validated before any credentials are issued.
Deeper analysisAI
CVE-2026-42809 is a critical vulnerability (CVSS 9.9) in Apache Polaris, specifically in the staged table creation process. Polaris issues broad temporary ("vended") storage credentials before validating or durably reserving the effective table location. These credentials are intended to limit access to table data and metadata, but an attacker can supply a custom `location` during stage create and request credential vending, causing Polaris to construct delegated storage credentials based on that unvalidated attacker-controlled location. Related inputs like `write.data.path` and `write.metadata.path` in request properties also feed into the credential scope without prior validation (CWE-20, CWE-862).
The vulnerability enables remote exploitation (AV:N) by low-privilege authenticated users (PR:L/AC:L/UI:N) with changed scope (S:C), leading to high confidentiality, integrity, and availability impacts (C:H/I:H/A:H). An attacker can direct the temporary credentials to any reachable target storage location of their choice, effectively bypassing intended scope limitations and gaining unauthorized broad access to storage for reading or writing data and metadata.
Mitigation details are available in the Apache advisory at https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671r and the oss-security announcement at http://www.openwall.com/lists/oss-security/2026/05/02/10.
Details
- CWE(s)