Apache Polaris critical credential vending vulnerability CVE-2026-42809 published with CVSS 9.9

A critical Apache Polaris vulnerability (CVE-2026-42809) with a CVSS score of 9.9 was disclosed. The flaw allows credential vending in Apache Polaris, an open-source interoperable catalog for Apache Iceberg, potentially exposing sensitive data access. Apache Polliver security advisories and multiple security feeds including oss-sec flagged the issue as a high-priority patch for data lake and analytics infrastructure relying on Polaris for table management and access control.