CVE-2026-42810

CVE-2026-42810 affects Apache Polaris. The issue arises because Polaris accepts literal ‘’ characters in namespace and table names, and these unescaped characters are reused in temporary S3 access policies for delegated table access. In S3 IAM policy matching, ‘ ’ is treated as a wildcard, allowi...

CVE-2026-42809

Apache Polaris is affected via the staged-create path where an authenticated, low-privilege user can supply a custom location during stage create and request credential vending. Polaris issues broad temporary (vended) storage credentials tied to that location before normal validation and overlap ...

CVE-2026-42811

CVE-2026-42811 : Apache Polaris builds Google Cloud Storage downscoped credentials via a Credential Access Boundary (CAB) with CEL conditions intended to constrain to a table path. The CEL string uses the bucket and table path; if a namespace/table identifier contains special content (e.g., a sin...

CVE-2026-42812

The CVE-2026-42812 entry covers Apache Polaris involving write.metadata.path in Polaris-managed catalogs. A change to the table property write.metadata.path can bypass the pre-write location validation, allowing Polaris to write metadata to attacker-controlled storage before location checks run. ...