CVE-2026-42810: Apache Polaris S3 Wildcard Vulnerability Creates Critical Data Risk

/CRITICAL /CVSS 9.9/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-20cwe-116
CVE-2026-42810: Apache Polaris S3 Wildcard Vulnerability Creates Critical Data Risk

The National Vulnerability Database (NVD) has detailed CVE-2026-42810, a critical flaw in Apache Polaris that allows literal * characters in namespace and table names. This seemingly innocuous feature becomes a major security hole when Polaris generates temporary S3 access policies. Instead of treating * as a literal character, S3 IAM policy matching interprets it as a wildcard, leading to significant privilege escalation. This means temporary credentials issued for a specially crafted table can grant access to the storage paths of other tables.

NVD reports that private testing against Polaris 1.4.0 on both MinIO and AWS S3 confirmed this behavior. Credentials for crafted tables like f*.t1, f*.*, *.*, and foo.* could access other tables’ S3 locations. This includes reading sensitive Iceberg metadata JSON files, listing exact S3 table prefixes, and, critically, creating and deleting objects under another table’s S3 prefix when write delegation was enabled. This isn’t just a disclosure risk; it’s a full data integrity nightmare. The NVD highlights a least-privilege scenario where an attacker with minimal permissions to create a wildcard table could still gain unauthorized read/write access to unrelated tables.

This vulnerability, with a CVSS score of 9.9 (CRITICAL), underscores a fundamental misconfiguration in how Polaris translates user-supplied input into security policies. The issue stems from improper neutralization of special elements (CWE-116) and improper input validation (CWE-20). For defenders, this means assuming that any Polaris deployment handling S3 data is at risk until patched. The attacker’s calculus is simple: exploit a system’s trust in its own policy generation to bypass intended access controls and gain broad, unauthorized access to data.

What This Means For You

  • If your organization uses Apache Polaris for data management, especially with S3, you need to immediately assess your exposure to CVE-2026-42810. This isn't theoretical; it allows full read/write access to other tables' data. Prioritize patching to a fixed version as soon as one is available. Until then, review and restrict permissions for creating tables, particularly those with wildcard characters. Audit S3 access logs for any anomalous access patterns, especially those originating from Polaris-delegated credentials, and investigate any tables using `*` in their names.

Related ATT&CK Techniques

T1568.002 Cloud Instance Role Supply Chain Compromise Initial Access T1078.004 Cloud Accounts Initial Access T1537 Cloud Service Component Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1568.002 Lateral Movement

CVE-2026-42810: Apache Polaris S3 Wildcard Namespace/Table Access

Sigma YAML — free preview 
title: CVE-2026-42810: Apache Polaris S3 Wildcard Namespace/Table Access
id: scw-2026-05-04-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-42810 by crafting table names with wildcards ('*') in the request to Apache Polaris. This specific pattern targets the vulnerability where '*' is treated as a wildcard in S3 IAM resource patterns, allowing unauthorized access to other tables' data.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42810/
tags:
  - attack.lateral_movement
  - attack.t1568.002
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/v1/namespaces/'
      cs-uri-query|contains:
          - 'tableName=*'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42810 Vulnerability CVE-2026-42810

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 04, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Prometheus CVE-2026-42154: Unauthenticated Memory Exhaustion Vulnerability

CVE-2026-42154 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not...

vulnerabilityCVEhigh-severitycwe-400cwe-789
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 2 Sigma

Prometheus Azure AD OAuth Secret Exposed via Plaintext Config

CVE-2026-42151 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD...

vulnerabilityCVEhigh-severitycwe-200cwe-312
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 1 IOC /⚙ 3 Sigma

CVE-2026-25863: WordPress Plugin DoS Vulnerability Hits Contact Form 7

CVE-2026-25863 — Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the...

vulnerabilityCVEhigh-severitycwe-1284
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs