CVE-2026-34214 - Vulnerability Details - OpenCVE

Trino is a distributed SQL query engine for big data analytics. From version 439 to before version 480, Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level. This issue has been patched in version 480.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/trinodb/trino/releases/tag/480
https://github.com/trinodb/trino/security/advisories/GHSA-x27p-5f68-m644

History

Tue, 31 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 31 Mar 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description		Trino is a distributed SQL query engine for big data analytics. From version 439 to before version 480, Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level. This issue has been patched in version 480.
Title		Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON
Weaknesses		CWE-212 CWE-312
References		https://github.com/trinodb/trino/releases/tag/480 https://github.com/trinodb/trino/security/advisories/GHSA-x27p-5f68-m644
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-31T14:14:47.982Z

Updated: 2026-03-31T14:28:53.287Z

Reserved: 2026-03-26T15:57:52.324Z

Link: CVE-2026-34214

Vulnrichment

Updated: 2026-03-31T14:28:49.762Z

NVD

Status : Received

Published: 2026-03-31T15:16:18.400

Modified: 2026-03-31T15:16:18.400

Link: CVE-2026-34214

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34214", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T15:57:52.324Z", "datePublished": "2026-03-31T14:14:47.982Z", "dateUpdated": "2026-03-31T14:28:53.287Z"}, "containers": {"cna": {"title": "Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON", "problemTypes": [{"descriptions": [{"cweId": "CWE-212", "lang": "en", "description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-312", "lang": "en", "description": "CWE-312: Cleartext Storage of Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/trinodb/trino/security/advisories/GHSA-x27p-5f68-m644", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/trinodb/trino/security/advisories/GHSA-x27p-5f68-m644"}, {"name": "https://github.com/trinodb/trino/releases/tag/480", "tags": ["x_refsource_MISC"], "url": "https://github.com/trinodb/trino/releases/tag/480"}], "affected": [{"vendor": "trinodb", "product": "trino", "versions": [{"version": ">= 439, < 480", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T14:14:47.982Z"}, "descriptions": [{"lang": "en", "value": "Trino is a distributed SQL query engine for big data analytics. From version 439 to before version 480, Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level. This issue has been patched in version 480."}], "source": {"advisory": "GHSA-x27p-5f68-m644", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T14:28:47.033694Z", "id": "CVE-2026-34214", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:28:53.287Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34214", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T14:28:47.033694Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:28:49.762Z"}}], "cna": {"title": "Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON", "source": {"advisory": "GHSA-x27p-5f68-m644", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "trinodb", "product": "trino", "versions": [{"status": "affected", "version": ">= 439, < 480"}]}], "references": [{"url": "https://github.com/trinodb/trino/security/advisories/GHSA-x27p-5f68-m644", "name": "https://github.com/trinodb/trino/security/advisories/GHSA-x27p-5f68-m644", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/trinodb/trino/releases/tag/480", "name": "https://github.com/trinodb/trino/releases/tag/480", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Trino is a distributed SQL query engine for big data analytics. From version 439 to before version 480, Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level. This issue has been patched in version 480."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-212", "description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-312", "description": "CWE-312: Cleartext Storage of Sensitive Information"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T14:14:47.982Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34214", "state": "PUBLISHED", "dateUpdated": "2026-03-31T14:28:53.287Z", "dateReserved": "2026-03-26T15:57:52.324Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T14:14:47.982Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}