Ddos 
The Apache Polaris project, a popular open-source catalog for Apache Iceberg, has released a major security update to address four critical vulnerabilities that could allow attackers to bypass storage restrictions and access sensitive data across cloud environments. Polaris is widely adopted for its ability to enable interoperability between high-performance engines like Spark, Flink, and Trino, making these flaws a significant concern for data platform security.
All four vulnerabilities affect versions of Apache Polaris prior to 1.4.1.
Researchers discovered that an authenticated, low-privileged user can abuse the “staged table creation” process to trick Polaris into issuing broad storage credentials for an attacker-chosen location. This flaw is tracked as CVE-2026-42809.
The defect exists because Polaris generates temporary (“vended”) credentials before validating or reserving the table’s effective location. An attacker can supply a custom location during the creation stage, and Polaris will immediately construct delegated credentials for that path without performing its normal overlap or location checks. This effectively allows an attacker to direct Polaris to grant them access to unauthorized storage areas.
In AWS S3 environments, Polaris was found to accept literal * (asterisk) characters in namespace and table names. When Polaris builds temporary S3 access policies, these characters are reused unescaped in S3 IAM resource patterns. This flaw is tracked as CVE-2026-42810.
Because S3 treats * as a wildcard, credentials issued for a crafted table (e.g., f*.t1) can match the storage paths of entirely different tables. In testing, researchers confirmed that an attacker could:
- Read another table’s critical Iceberg metadata JSON control files.
- List objects within another table’s private S3 prefix.
- Create or delete data in storage areas they should not be able to reach.
A similar flaw affects Google Cloud Storage (GCS) users. Polaris uses a Credential Access Boundary (CAB) with Common Expression Language (CEL) conditions to restrict access to specific table files. However, Polaris fails to escape single quotes in table paths derived from namespace identifiers. This flaw is tracked as CVE-2026-42811.
By crafting an identifier containing a single quote, an attacker can “break out” of the intended string in the CEL expression. This causes the security boundary to collapse, granting the attacker credentials that may work across the entire configured bucket rather than just a single table.
The final vulnerability involves the write.metadata.path property. In Apache Iceberg, metadata files are the “brain” of the table, defining which snapshots and data files are valid. Researchers found that changing only this property through an ALTER TABLE command bypasses the commit-time branch responsible for revalidating storage locations. This flaw is tracked as CVE-2026-42812.
If a catalog is configured to allow unstructured locations, an attacker can cause Polaris to write new metadata to an unchecked, reachable location. Polaris may then persist this unsafe path and later hand out temporary cloud credentials for it, enabling data corruption or theft.
The Apache Polaris team has marked these vulnerabilities as Important and urges all administrators to upgrade to version 1.4.1 immediately. This release introduces the necessary escaping and validation logic to prevent attackers from manipulating storage paths or breaking out of credential boundaries.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
