External risk intelligence

Apache Polaris could allow an internal attacker to expose or corrupt sensitive data

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-42812

An internal attacker with existing access to Apache Polaris can manipulate table settings to direct data storage to unauthorized locations. This flaw could allow them to expose sensitive company information or corrupt critical files.

1Halo Surface Signal

Apache Polaris

before 1.4.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-42812

Apache Polaris is an internal data catalog service, not a public-facing web application or edge service. The vulnerability requires existing authenticated access to an internal system and specific administrative privileges to modify table settings, making public internet exposure of this attack surface highly unlikely.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

An issue in Apache Polaris allows a user with existing access to alter table settings to cause the system to write metadata to an attacker-controlled storage location. This can lead to the system later issuing credentials that grant access to that location, potentially exposing or corrupting data and metadata.

  • Can expose or modify data.
  • Affects systems with specific configuration.
  • Requires existing table modification privileges.

Attack Path

How an attacker could exploit the issue

An attacker with existing read access to a table in an Apache Polaris catalog could abuse a flaw in how table metadata paths are updated. By changing the `write.metadata.path` table property, they can trick Polaris into writing new table metadata to an attacker-chosen location before proper validation occurs. This allows them to potentially expose or corrupt data and metadata within that location, and later gain credentials to access it.

  • Requires authenticated user access.
  • Target: Apache Polaris catalog settings.
  • Precondition: Specific catalog configuration.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk in configurations allowing unstructured table locations, enabling an authenticated user to redirect metadata writes and potentially compromise or corrupt data and metadata accessible by Polaris. The core issue stems from bypassing commit-time validation, leading to subsequent credential vending for attacker-chosen storage locations.

  • Exploitation requires authenticated access.
  • Targeted configuration is specific.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating services using Apache Polaris if they allow unauthenticated users to alter table settings or if the `polaris.config.allow.unstructured.table.location` property is enabled. This vulnerability can allow an attacker to write metadata to arbitrary locations, potentially leading to data exposure or corruption, and could even lead to credential vending for cloud storage.

  • Block unauthorized table setting changes.
  • Monitor for suspicious metadata writes.
  • Update to Polaris version 1.4.1 or later.

Frequently asked questions

What is Apache Polaris and its function within data management systems?

Apache Polaris functions as a data catalog service, essential for managing metadata files. These files guide readers on which data files constitute a specific table and which version of that table to access, thereby organizing and enabling access to data within a storage environment.

What type of weakness does CVE-2026-42812 reveal in Apache Polaris?

CVE-2026-42812 identifies a weakness related to improper data validation within Apache Polaris. This flaw permits a user authorized to modify table settings to circumvent security checks and write table metadata to a storage location controlled by an attacker.

How can an attacker exploit CVE-2026-42812 in Apache Polaris?

An attacker with authenticated access to alter table settings can exploit this vulnerability by changing the `write.metadata.path` property. This action bypasses validation checks, causing Polaris to write new table metadata to an attacker-specified location, potentially leading to data exposure or corruption.

What is the practical impact of CVE-2026-42812 on data security?

This vulnerability can lead to the exposure or modification of sensitive data and metadata. In specific configurations, it enables an authenticated user to redirect metadata writes to attacker-controlled storage, potentially resulting in data compromise and credential vending for cloud storage.

What steps should be taken to address the CVE-2026-42812 vulnerability in Apache Polaris?

To mitigate this risk, it is recommended to update Apache Polaris to version 1.4.1 or later. Additionally, organizations should isolate services using Polaris if they permit unauthenticated users to alter table settings or if the `polaris.config.allow.unstructured.table.location` property is enabled, and monitor for unusual metadata writes.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified