CVE-2026-42809

Name: CVE-2026-42809
Creator: NVD / NIST
Published: 2026-05-04T17:16:26.307+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.4/10EPSS 0.36%

Last modified Jun 17, 2026

CVE-2026-42809 is a critical-severity vulnerability rated 9.4/10 on the CVSS scale. Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation becomes attacker- directed because the attacker can choose a reachable target location. In the confirmed variant, if the caller supplies a custom `location` during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. EPSS estimates a 0.36% chance of exploitation in the next 30 days.

Description

Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation becomes attacker- directed because the attacker can choose a reachable target location. In the confirmed variant, if the caller supplies a custom `location` during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued. Closely related to that, the staged-create flow also accepts `write.data.path` / `write.metadata.path` in the request properties and feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondary to the main custom-`location` exploit, but they are still attacker-influenced location inputs that should be validated before any credentials are issued.

Metrics

CVSS 3.1

9.9/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0

9.4/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.36%

27.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Apache	Polaris	< 1.4.1

References

https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671rMailing List, Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/05/02/10Mailing List, Third Party Advisory

Timeline

Published: May 4, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-42809?

How severe is CVE-2026-42809?

CVE-2026-42809 has a CVSS score of 9.4/10 (CRITICAL severity). The EPSS model estimates a 0.36% probability of exploitation in the next 30 days.

How do I fix CVE-2026-42809?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-42809?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST