Apache Polaris
4 CVEs affecting Apache Polaris. Latest disclosed: 2026-05-04. Critical: 4, High: 0.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-42812 | Critical | 9.9 | 2026-05-04 | In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to read. `wr… |
CVE-2026-42811 | Critical | 9.9 | 2026-05-04 | In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials that only work for one table's files, but a crafted namespace or table name can… |
CVE-2026-42810 | Critical | 9.9 | 2026-05-04 | Apache Polaris accepts literal `*` characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those… |
CVE-2026-42809 | Critical | 9.9 | 2026-05-04 | Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or … |