SCA: security update for org.apache.polaris:polaris-runtime-service (GHSA-8ggj-j522-h5qf)

critical Tenable Self-Hosted Container Security Plugin ID 441561

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation
before the effective table location has been validated or durably reserved. Those temporary credentials
are meant to limit the scope of accessible table data and metadata, but this scope limitation becomes
attacker- directed because the attacker can choose a reachable target location. In the confirmed variant,
if the caller supplies a custom `location` during stage create and requests credential vending, Apache
Polaris uses that location to construct delegated storage credentials immediately. The stage-create path
itself neither runs the normal location validation nor the overlap checks before those credentials are
issued. Closely related to that, the staged-create flow also accepts `write.data.path` /
`write.metadata.path` in the request properties and feeds those location overrides into the same effective
table location set used for credential vending. Those fields are secondary to the main custom-`location`
exploit, but they are still attacker-influenced location inputs that should be validated before any
credentials are issued. (CVE-2026-42809)

Solution

Update the org.apache.polaris:polaris-runtime-service library and its related packages to version 1.4.1 or later.

See Also

https://github.com/advisories/GHSA-8ggj-j522-h5qf

Plugin Details

Severity: Critical

ID: 441561

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 5/8/2026

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.7

Percentile: 99.07

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-42809

CVSS v3

Risk Factor: Critical

Base Score: 9.9

Temporal Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.4

Threat Score: 7.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/4/2026

Vulnerability Publication Date: 5/4/2026

Reference Information

CVE: CVE-2026-42809

cwe: CWE-20