CVE-2026-42809 - Vulnerability Analysis
CriticalCVSS: 9.9Last Updated: May 4, 2026
Apache Polaris - Broken Access Control
Published: May 4, 2026Updated: May 4, 2026Remote Exploitable
Overview
Apache Polaris contains a broken access control vulnerability caused by issuing temporary storage credentials during staged table creation without validating or reserving the effective table location, letting attackers obtain broad storage access by supplying attacker-controlled locations, exploit requires ability to supply custom location parameters.
Severity & Score
Severity: Critical
CVSS Score: 9.9
Impact
Attackers can obtain broad temporary storage credentials, potentially accessing or modifying unauthorized table data and metadata.
Mitigation
Update to the latest version where location validation and overlap checks are enforced before credential vending.
References
Related Resources
Details
- CVE ID
- CVE-2026-42809
- Severity
- Critical
- CVSS Score
- 9.9
- Type
- broken_access_control
- Status
- new
CWE
- CWE-20
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H