CVE-2026-34214
Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON
CVSS Score
7.7
EPSS Score
0.0%
EPSS Percentile
0th
Trino is a distributed SQL query engine for big data analytics. From version 439 to before version 480, Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level. This issue has been patched in version 480.
| CWE | CWE-212 CWE-312 |
| Vendor | trinodb |
| Product | trino |
| Published | Mar 31, 2026 |
| Last Updated | Mar 31, 2026 |
Stay Ahead of the Next One
Get instant alerts for trinodb trino
Be the first to know when new high vulnerabilities affecting trinodb trino are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
trinodb / trino
>= 439, < 480