External risk intelligence

Apache Polaris could allow an internal attacker to access or modify sensitive data

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-42810

An internal attacker can exploit a flaw in Apache Polaris to bypass cloud storage security and access, modify, or delete sensitive business data. This vulnerability poses a significant risk to data privacy and could allow unauthorized destruction of proprietary information.

1Halo Surface Signal

Apache Polaris

before 1.4.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-42810

Apache Polaris is an internal data governance and catalog service for managing Apache Iceberg table permissions. It is designed for deployment within protected internal networks or private cloud environments and is not intended for or commonly exposed to the public internet.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Apache Polaris allows for unauthorized access to data by exploiting how special characters are handled. When creating temporary access policies for tables, Polaris incorrectly uses wildcards, enabling crafted table requests to access unrelated data. This could expose sensitive metadata or allow unauthorized modifications to data.

  • Compromised credentials can access other tables.
  • Sensitive table metadata may be disclosed.
  • Unauthorized data modifications are possible.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by creating a specially crafted table name with wildcard characters in Apache Polaris. This allows them to obtain temporary S3 credentials that, due to improper escaping of the wildcard characters in S3 IAM policies, grant them access to other tables' data and metadata. The attacker could then read, list, or even modify data belonging to different tables without proper authorization.

  • Attacker needs table creation permission.
  • Exploits unescaped wildcard characters.
  • Allows cross-table data access.

Live Threat

Current exploitation, exposure, and threat context

Attackers may find this vulnerability appealing because it allows for unauthorized access to sensitive data and potentially unauthorized modifications to cloud storage. The ability to bypass access controls and reach other tables' S3 locations, even with minimal initial permissions, presents a significant risk. This could lead to data exfiltration or manipulation within the cloud environment.

  • Limited observed exploitation.
  • No public exploit code confirmed.
  • Exploitability depends on deployment context.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize reviewing logs for unexpected S3 access patterns, especially those involving wildcard characters in table or namespace names. Block any traffic exhibiting this behavior and immediately inventory all affected tables and their associated S3 storage to assess exposure.

  • Isolate affected services if exploitation is confirmed.
  • Upgrade Apache Polaris to version 1.4.1 or later.
  • Monitor S3 access logs for unauthorized activity.

Frequently asked questions

What is Apache Polaris and its function in data governance?

Apache Polaris is an open-source data governance and catalog service designed to manage permissions and access control for Apache Iceberg tables. It acts as a centralized catalog, providing discovery, governance, and semantic capabilities for data lakehouses. Polaris implements the Iceberg REST Catalog specification, enabling interoperability across various query engines and offering features like Role-Based Access Control (RBAC) and credential vending to securely manage access to data assets.

How does CVE-2026-42810 exploit Apache Polaris's handling of wildcards?

CVE-2026-42810 arises from Apache Polaris's improper handling of literal wildcard characters ('*') in namespace and table names. When constructing temporary S3 access policies, Polaris reuses these wildcard characters without proper escaping. Since S3 IAM policy matching interprets '*' as a wildcard, crafted table names can lead to temporary credentials granting unintended access to unrelated tables' data and metadata. This vulnerability is classified under CWE-20 (Improper Input Validation) and CWE-116...

What actions can an attacker perform by exploiting CVE-2026-42810?

An authenticated attacker with minimal privileges in Apache Polaris can exploit CVE-2026-42810 to gain unauthorized access. By creating a crafted table name with wildcard characters, they can obtain temporary S3 credentials that allow them to list, read, create, and delete objects within other tables' S3 locations. This includes accessing sensitive metadata files and potentially modifying or deleting data they should not have access to.

What is the recommended mitigation for CVE-2026-42810 in Apache Polaris?

The primary mitigation for CVE-2026-42810 is to upgrade Apache Polaris to version 1.4.1 or later, as this version includes fixes for the vulnerability. Additionally, organizations should review logs for unusual S3 access patterns, particularly those involving wildcard characters in table or namespace names, and isolate affected services if exploitation is confirmed.

What are the implications of the vulnerability for data confidentiality and integrity?

CVE-2026-42810 significantly impacts data confidentiality by allowing unauthorized access to sensitive metadata and data files. It also affects data integrity, as the vulnerability can enable attackers to create and delete objects under other tables' S3 prefixes, potentially leading to data modification or corruption. The confirmed write-capable variant means the issue is not limited to disclosure.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified