CVE-2026-42809

Apache Polaris can issue broad temporary "vended" storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation...

Missing Authorization

Overview org.apache.polaris:polaris-runtime-service is an a catalog for data lakes. It provides new levels of choice, flexibility and control over data, with full enterprise security and Apache Iceberg interoperability across a multitude of engines and infrastructure Affected versions of this...

CVE-2026-42809

Apache Polaris can issue broad temporary "vended" storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation...

CVE-2026-42809 Apache Polaris: staged table creation could vend storage credentials for unvalidated locations

Apache Polaris can issue broad temporary "vended" storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation...

EUVD-2026-27033

Apache Polaris can issue broad temporary "vended" storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation...