CVE-2026-34214: Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON

March 29, 2026

Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level.

References

github.com/advisories/GHSA-x27p-5f68-m644
github.com/trinodb/trino
github.com/trinodb/trino/releases/tag/480
github.com/trinodb/trino/security/advisories/GHSA-x27p-5f68-m644
nvd.nist.gov/vuln/detail/CVE-2026-34214

Code Behaviors & Features

Detect and mitigate CVE-2026-34214 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →