Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-42809 is a critical severity vulnerability with a CVSS score of 9.9. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation becomes attacker-directed because the attacker can choose a reachable target location.
In the confirmed variant, if the caller supplies a custom location during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued.
Closely related to that, the staged-create flow also accepts write.data.path / write.metadata.path in the request properties and
feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondary to the main custom-location exploit, but they are still attacker-influenced location inputs that should be validated before any credentials are issued.
| Vendor | Product |
|---|---|
| Apache | Polaris |
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.