Platform
java
Component
io.trino:trino-iceberg
Fixed in
439.0.1
480
CVE-2026-34214 is a high-severity vulnerability affecting the Trino Iceberg connector. It allows users with write privileges on SQL level to access sensitive credentials, such as static or temporary access keys used for object storage. This exposure can lead to unauthorized data access and potential compromise. The vulnerability impacts versions of Trino Iceberg connector up to and including 479, and a fix is available in version 480.
The primary impact of CVE-2026-34214 is the exposure of sensitive credentials used by the Trino Iceberg connector to access object storage. An attacker with write privileges on SQL level can leverage this vulnerability to view these credentials, potentially gaining unauthorized access to the underlying data stored in the object storage. This could involve data exfiltration, modification, or deletion. The blast radius extends to any data protected by the object storage accessed through the vulnerable connector. The query JSON feature, which serializes query plans, is the vector for this exposure, highlighting the importance of carefully controlling access to query visualization tools.
CVE-2026-34214 was publicly disclosed on 2026-03-29. The vulnerability's severity is rated HIGH (7.7 CVSS). There are currently no publicly known proof-of-concept exploits. It is not listed on the CISA KEV catalog as of this writing. The vulnerability's reliance on write privileges suggests exploitation would likely require insider access or a compromised account with sufficient permissions.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34214 is to upgrade the Trino Iceberg connector to version 480 or later, which includes the fix. If an immediate upgrade is not feasible, consider restricting access to the query JSON feature to authorized personnel only. Review and audit SQL write privileges to ensure only necessary users have them. Implement network segmentation to limit access to the Trino cluster from untrusted networks. After upgrading, confirm the fix by attempting to access the credentials through the query JSON feature with a user account that previously had write privileges; the credentials should no longer be accessible.
Update Trino to version 480 or higher. This version fixes the vulnerability that allows unauthorized access to Iceberg REST catalog credentials via query JSON.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34214 is a high-severity vulnerability in the Trino Iceberg connector where sensitive credentials can be exposed to users with SQL write privileges, potentially leading to unauthorized data access.
You are affected if you are using Trino Iceberg connector versions 479 or earlier and have users with write privileges on SQL level.
Upgrade the Trino Iceberg connector to version 480 or later to remediate the vulnerability. Restrict access to the query JSON feature as an interim measure.
As of now, there are no publicly known active exploitation campaigns targeting CVE-2026-34214.
Refer to the official Trino security advisory for detailed information and updates regarding CVE-2026-34214: [https://trino.io/security](https://trino.io/security)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.