CVE-2026-29080

CVE-2026-29080 describes an SQL injection in Rucio’s FilterEngine for Oracle JSON Path via the DID search API. In Oracle deployments using the default json_meta plugin, create_sqla_query() interpolates attacker-controlled key and value directly into sqlalchemy.text() via Python .format(), bypassi...

Apache Polaris has an Improper Input Validation issue

In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to read. write.metadata.path is an optional table property that tells Polaris where to write those metadata files. For a table already registered in a...

Incorrect Authorization

Overview org.apache.polaris:polaris-runtime-service is an a catalog for data lakes. It provides new levels of choice, flexibility and control over data, with full enterprise security and Apache Iceberg interoperability across a multitude of engines and infrastructure Affected versions of this...

CVE-2026-42812

In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to read. write.metadata.path is an optional table property that tells Polaris where to write those metadata files. For a table already registered in a...

CVE-2026-42809 Apache Polaris: staged table creation could vend storage credentials for unvalidated locations

Apache Polaris can issue broad temporary "vended" storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation...

CVE-2026-42812

The CVE-2026-42812 entry covers Apache Polaris involving write.metadata.path in Polaris-managed catalogs. A change to the table property write.metadata.path can bypass the pre-write location validation, allowing Polaris to write metadata to attacker-controlled storage before location checks run. ...

CVE-2026-42812 Apache Polaris: No protection on `write.metadata.path`

In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to read. write.metadata.path is an optional table property that tells Polaris where to write those metadata files. For a table already registered in a...

CVE-2026-42812 Apache Polaris: No protection on `write.metadata.path`

In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to read. write.metadata.path is an optional table property that tells Polaris where to write those metadata files. For a table already registered in a...

Apache Polaris 输入验证错误漏洞

Apache Polaris is a data management and query service component of the Apache Foundation. Apache Polaris has a vulnerability related to input validation, which stems from skipping expected position checks when only the write.metadata.path property is changed. This may lead to metadata being writt...

PT-2026-36670

Name of the Vulnerable Software and Affected Versions Apache Polaris version 1.4.0 Description Apache Polaris fails to properly escape namespace and table identifiers when constructing Common Expression Language CEL strings for Google Cloud Storage GCS Credential Access Boundaries CAB. This allow...

PT-2026-36671

Name of the Vulnerable Software and Affected Versions Apache Polaris versions prior to 1.4.1 Description Changing the write.metadata.path table property via an ALTER TABLE settings change allows a user to bypass the commit-time branch intended to revalidate storage locations. This defect enables...

Client metadata path-traversal

Impact In both clients tuf/client and tuf/ngclient, there is a path traversal vulnerability that in the worst case can overwrite files ending in .json anywhere on the client system on a call to getonevalidtargetinfo. It occurs because the rolename is used to form the filename, and may contain pat...

GHSA-WJW6-2CQR-J4QR Client metadata path-traversal

Impact In both clients tuf/client and tuf/ngclient, there is a path traversal vulnerability that in the worst case can overwrite files ending in .json anywhere on the client system on a call to getonevalidtargetinfo. It occurs because the rolename is used to form the filename, and may contain pat...