Hi, The Apache Polaris community is pleased to announce Apache Polaris 1.4.1.
It's an important release that fixes 4 security issues: * CVE-2026-42809: An authenticated low-privileged user can abuse Polaris staged table creation to mint broad temporary storage credentials for an attacker-chosen location before Polaris validates that location * CVE-2026-42810: Polaris accepts literal `*` characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those same characters appear to be reused unescaped in S3 IAM resource patterns and `s3:prefix` conditions. * CVE-2026-42811: In plain terms, Polaris is supposed to issue short-lived GCS credentials that only work for one table's files, but a crafted namespace or table name can cause those credentials to work across the configured bucket instead. * CVE-2026-42812: No protection on `write.metadata.path` We strongly advise users to upgrade to this release. This release can be downloaded here: * https://polaris.apache.org/downloads/ The artifacts are available on Maven Central: * https://repo1.maven.org/maven2/org/apache/polaris/ The Docker images are available on Docker Hub: * https://hub.docker.com/r/apache/polaris/tags * https://hub.docker.com/r/apache/polaris-admin-tool/tags Apache Polaris is an open-source, fully-featured catalog for Apache Iceberg™. It implements Iceberg's REST API, enabling seamless multi-engine interoperability across a wide range of platforms, including Apache Doris™, Apache Flink®, Apache Spark™, Dremio®, StarRocks, and Trino. Enjoy! -- The Apache Polaris team
