Security

Reporting Security Issues

The Apache Paimon Project uses the standard process outlined by the Apache Security Team for reporting vulnerabilities.

Note that vulnerabilities should not be publicly disclosed until the project has responded.

To report a possible security vulnerability, please email security@apache.org.

Security Model

Apache Paimon is a data lake platform and a set of libraries and integrations used inside larger systems such as catalogs, query engines, and services.

In most deployments, the primary trust and authorization boundaries are enforced by the surrounding catalog, engine, service, operator configuration, and storage-level authorization rather than by Paimon alone.

Paimon security issues generally include:

• Secret or credential disclosure to a newly reachable audience (e.g., bearer tokens, access keys, or delegated storage tokens leaking across catalog, session, or table boundaries)
• Other cases where Paimon itself creates a new unauthorized capability rather than merely reflecting the trust decisions of a catalog, engine, or operator

Many other issues may still be valid bugs, but are not normally considered security vulnerabilities in Paimon. This includes:

• Robustness issues such as malformed-input crashes or memory exhaustion
• Issues that require a malicious catalog, metastore, REST Catalog server, or other external service
• Issues that depend on operator misconfiguration (e.g., overly broad IAM policies, missing TLS)

Potential vulnerabilities that fall within this security model should be reported privately using the process above. Other bugs and hardening issues should be reported through the public issue tracker.

For a more detailed threat model used for maintainer triage and scanner calibration, see the Apache Paimon Security Threat Model.