Apache Polaris security advisories
Security information for Apache Polaris
Reporting
Do you want disclose a potential security issue for Apache Polaris? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
write.metadata.path changes could bypass location validation and broaden delegated storage access
CVE-2026-42812 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-04T16:28:09.922Z
Affected
- Apache Polaris before 1.4.1
Description
In Apache Iceberg, the table’s metadata files are control files: they tell readers
which data files belong to the table and which table version to read.
write.metadata.path is an optional table property that tells Polaris
where to
write those metadata files.
For a table already registered in a
Polaris-managed
catalog, changing only that property through an ALTER TABLE-style settings
change (not a row-level INSERT, SELECT, UPDATE, or DELETE) bypasses
the commit-time branch that is supposed to revalidate storage locations.
The full persisted / credential-vending variant requires the affected
catalog
to have polaris.config.allow.unstructured.table.location=true, with
allowedLocations broad enough to include the attacker-chosen target.
allowedLocations is the admin-configured allowlist of storage paths that
the
catalog is allowed to use. Public project materials suggest that this flag
is a
real supported compatibility / layout mode, not just a contrived lab-only
prerequisite.
In that configuration, a user who can change table settings can cause Apache Polaris
itself to write new table metadata to an attacker-chosen reachable storage
location before the intended location-validation branch runs.
If the later concrete-path validation also accepts that location, Polaris persists the resulting metadata path into stored table state. Later table-load and credential APIs can then return temporary cloud-storage credentials for the same location without revalidating it. In plain terms, Polaris can later hand out temporary storage access for the same attacker-chosen area.
That attacker-chosen area does not need to be limited to the poisoned
table’s
own files. If it is a broader storage prefix, another table’s prefix, or,
depending on configuration or provider behavior, even a bucket/container
root,
the resulting disclosure or corruption scope can extend to any data and
metadata Polaris can reach there.
The practical consequences are therefore similar to the staged-create
credential-vending issue already discussed: data and metadata reachable in
that
storage scope can be exposed and, if write-capable credentials are later
issued, modified, corrupted, or removed. Even before that later credential
step, Polaris itself performs the metadata write to the unchecked location.
So the core issue is not only later credential vending.
The primary defect
is
that Polaris skips its intended location checks before performing a
security-
sensitive metadata write when only write.metadata.path changes.
When polaris.config.allow.unstructured.table.location=false, current code
review suggests the later updateTableLike(...) validation usually rejects
out-of-tree metadata locations before the unsafe path is persisted. That may
reduce the persisted / credential-vending variant, but it does not prevent
the
underlying defect: Polaris still skips the intended pre-write location check
when only write.metadata.path changes.
References
could broaden vended GCS credentials through unescaped identifier content in access-boundary CEL conditions
CVE-2026-42811 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-04T16:26:53.369Z
Affected
- Apache Polaris before 1.4.1
Description
In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials
that
only work for one table’s files, but a crafted namespace or table name can
cause those credentials to work across the configured bucket instead.
Apache Polaris builds Google Cloud Storage downscoped credentials by creating a
Credential Access Boundary (CAB) with CEL conditions that are intended to
restrict access to the requested table’s storage path.
The relevant CEL string is built from the bucket name and the table path.
That
table path is derived from namespace and table identifiers. In current code,
that path appears to be inserted into the CEL expression without escaping.
As a result, a namespace or table identifier containing a single quote and
other URI-safe CEL fragments can break out of the intended quoted string and
change the meaning of the CEL condition.
In private testing against Polaris 1.4.0 on real Google Cloud Storage, it was confirmed that Polaris accepted a crafted identifier and returned delegated
GCS
credentials whose CEL path restriction had effectively collapsed.
Those delegated credentials could then:
- list another table’s object prefix;
- read another table’s metadata control file (Iceberg metadata JSON);
- create and delete an object under another table’s object prefix;
- and also list, read, create, and delete objects under an unrelated external prefix in the same bucket that was not part of any table path.
That last point is important. The issue is not limited to “another table”. In the confirmed setup, once Apache Polaris returned credentials for the crafted table, the path restriction inside the configured bucket was effectively gone.
The practical effect is that temporary credentials for one crafted table
can be
broader than the table Polaris was asked to authorize, and can become
effectively bucket-wide within the configured bucket.
The current GCS testing used a Polaris principal with broad catalog
privileges for setup. A separate least-privilege Polaris RBAC variant
has not yet been tested on GCS. However, the storage-credential
broadening behavior itself has been confirmed on GCS.
References
could broaden vended S3 credentials through wildcard-bearing namespace or table names
CVE-2026-42810 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-04T16:48:47.000Z
Affected
- Apache Polaris before 1.4.1
Description
Apache Polaris accepts literal * characters in namespace and table names. When it
later builds temporary S3 access policies for delegated table access, those
same characters appear to be reused unescaped in S3 IAM resource patterns
and
s3:prefix conditions.
In S3 IAM policy matching, * is treated as a wildcard rather than as
ordinary text. That means temporary credentials issued for one crafted table
can match the storage path of a different table.
In private testing against Polaris 1.4.0 using Polaris’ AWS S3 temporary-
credential path on both MinIO and real AWS S3, credentials returned for
crafted tables such as f*.t1, f*.*, *.*, and foo.* could reach other
tables’ S3 locations.
The confirmed behavior includes:
- reading another table’s metadata control file ([Iceberg metadata JSON]);
- listing another table’s exact S3 table prefix ([table prefix]);
- and, when write delegation was returned for the crafted table, creating and deleting an object under another table’s exact S3 table prefix.
A control case using ordinary different names did not allow the same cross-table access.
A least-privilege AWS S3 variant was also confirmed in which the attacker principal had no Polaris permissions on the victim table and only the minimal permissions required to create and use a crafted wildcard table (namespace-scopedTABLE_CREATEandTABLE_WRITE_DATAon*). In that setup, direct Polaris access tofoo.t1remained forbidden, but the attacker could still create and load*.*, receive delegated S3 credentials, and use those credentials to list, read, create, and delete objects underfoo.t1.
In Iceberg, the metadata JSON file is a control file: it tells readers which data files belong to the table, which snapshots exist, and which table version to read. So unauthorized access to it is already a meaningful confidentiality problem. The confirmed write-capable variant means the issue is not limited to disclosure.
References
staged table creation could vend storage credentials for unvalidated locations
CVE-2026-42809 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-04T16:36:14.167Z
Affected
- Apache Polaris before 1.4.1
Description
Apache Polaris can issue broad temporary (“vended”) storage credentials during
staged
table creation before the effective table location has been validated or
durably reserved.
Those temporary credentials are meant to limit the scope
of
accessible table data and metadata, but this scope limitation becomes
attacker-
directed because the attacker can choose a reachable target location.
In the confirmed variant, if the caller supplies a custom location during
stage create and requests credential vending, Apache Polaris uses that location to
construct delegated storage credentials immediately. The stage-create path
itself neither runs the normal location validation nor the overlap checks
before those credentials are issued.
Closely related to that, the staged-create flow also accepts
write.data.path / write.metadata.path in the request properties and
feeds
those location overrides into the same effective table location set used for
credential vending. Those fields are secondary to the main custom-location
exploit, but they are still attacker-influenced location inputs that should
be
validated before any credentials are issued.