Description
A vulnerability was identified in Databend up to 1.2.881 on HTTP. This affects the function ClientSessionManager::state_key of the file src/query/service/src/servers/http/v1/session/client_session_manager.rs of the component Tenant Handler. The manipulation leads to authorization bypass. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.
Published: 2026-06-28
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Databend’s Tenant Handler allows an attacker to tamper with the state_key parameter in the ClientSessionManager::state_key routine. This manipulation bypasses normal access controls, granting unauthorized privileges and potentially exposing or altering tenant data. The weakness aligns with missing authorization (CWE‑285) and abuse of a user‑controlled key to bypass restrictions (CWE‑639).

Affected Systems

Databend versions up to and including 1.2.881 that expose the HTTP interface are affected. The issue resides in the file src/query/service/src/servers/http/v1/session/client_session_manager.rs within the Tenant Handler component. Systems running any of these versions without the fix and with the HTTP endpoint reachable from untrusted networks are at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog, but the exploit code is publicly available and an attacker can execute it remotely via HTTP. Without remediation, the risk remains that unauthorized users may gain privileged access to tenant resources.

Generated by OpenCVE AI on June 29, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Databend to a version that includes the fix once the pull request is merged and released.
  • If a new release is not yet available, restrict access to the Databend HTTP endpoint to trusted networks or enforce additional authentication to mitigate unauthorized state_key manipulation.
  • Monitor Databend logs for anomalous calls to ClientSessionManager::state_key, particularly from unfamiliar IP addresses or session identifiers.

Generated by OpenCVE AI on June 29, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Databend up to 1.2.881 on HTTP. This affects the function ClientSessionManager::state_key of the file src/query/service/src/servers/http/v1/session/client_session_manager.rs of the component Tenant Handler. The manipulation leads to authorization bypass. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.
Title Databend Tenant client_session_manager.rs state_key authorization
First Time appeared Databend
Databend databend
Weaknesses CWE-285
CWE-639
CPEs cpe:2.3:a:databend:databend:*:*:*:*:*:*:*:*
Vendors & Products Databend
Databend databend
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Databend Databend
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-28T22:45:10.824Z

Reserved: 2026-06-28T06:31:32.823Z

Link: CVE-2026-13512

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T00:30:04Z

Weaknesses
  • CWE-285

    Improper Authorization

  • CWE-639

    Authorization Bypass Through User-Controlled Key