Apache Iceberg CVE-2026-42812 Bypasses Metadata Location Validation
Apache Iceberg is affected by CVE-2026-42812, a critical vulnerability in how its Polaris-managed catalogs handle metadata file locations. According to the National Vulnerability Database, an attacker with privileges to change table settings can manipulate the write.metadata.path property. This bypasses a crucial commit-time validation step that is supposed to revalidate storage locations for metadata files. The core issue is that Polaris skips intended location checks before performing security-sensitive metadata writes when only this property changes.
Under specific configurations, particularly when polaris.config.allow.unstructured.table.location is set to true and allowedLocations are broad, this flaw becomes exploitable. The National Vulnerability Database states that Polaris can be coerced into writing new table metadata to an attacker-controlled storage location. If this location is subsequently accepted by concrete-path validation, Polaris can then issue temporary cloud storage credentials for that same attacker-chosen area without revalidation. This means Polaris effectively hands out access to an attacker-designated storage location.
The implications are severe. The attacker-chosen storage area isn’t limited to the poisoned table’s own files; it could be a broader storage prefix, another table’s prefix, or even an entire bucket/container root, depending on the configuration. This could lead to widespread data and metadata exposure or corruption. Even if the credential vending step is prevented, Polaris itself performs the initial metadata write to an unchecked location, marking a significant security bypass.
What This Means For You
- If your organization uses Apache Iceberg with a Polaris-managed catalog, you need to understand your configuration for `polaris.config.allow.unstructured.table.location` and `allowedLocations`. This isn't just a credential-vending issue; Polaris is fundamentally failing to validate metadata write locations. Audit your table settings change logs for any suspicious modifications to `write.metadata.path`. Ensure `polaris.config.allow.unstructured.table.location` is `false` unless absolutely necessary, and keep `allowedLocations` as restrictive as possible.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Apache Iceberg Metadata Path Alteration - CVE-2026-42812
title: Apache Iceberg Metadata Path Alteration - CVE-2026-42812
id: scw-2026-05-04-ai-1
status: experimental
level: critical
description: |
This rule detects an attempt to alter the `write.metadata.path` property of an Apache Iceberg table via an ALTER TABLE-style operation. This specific action is the trigger for CVE-2026-42812, as it bypasses intended metadata location validation, allowing an attacker to potentially redirect metadata writes to an attacker-controlled location. This is a critical first step in exploiting the vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42812/
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: webserver
detection:
selection:
cs-method:
- 'POST'
cs-uri|contains:
- '/v1/tables/'
cs-uri-query|contains:
- 'write.metadata.path'
selection_base:
sc-status:
- 200
condition: selection AND selection_base
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42812 | Information Disclosure | Apache Iceberg, Apache Polaris: Bypassing storage location revalidation via `write.metadata.path` property change in `ALTER TABLE` operations. |
| CVE-2026-42812 | Misconfiguration | Apache Polaris configured with `polaris.config.allow.unstructured.table.location=true` and `allowedLocations` broad enough to include attacker-chosen targets. |
| CVE-2026-42812 | Privilege Escalation | Apache Polaris: User with 'change table settings' permission can cause Polaris to write metadata to attacker-chosen storage, leading to temporary cloud-storage credential disclosure for that location. |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 04, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Prometheus CVE-2026-42154: Unauthenticated Memory Exhaustion Vulnerability
CVE-2026-42154 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not...
Prometheus Azure AD OAuth Secret Exposed via Plaintext Config
CVE-2026-42151 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD...
CVE-2026-25863: WordPress Plugin DoS Vulnerability Hits Contact Form 7
CVE-2026-25863 — Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the...