CVE-2026-13512

EUVD-2026-40009
A vulnerability was identified in Databend up to 1.2.881 on HTTP. This affects the function ClientSessionManager::state_key of the file src/query/service/src/servers/http/v1/session/client_session_manager.rs of the component Tenant Handler. The manipulation leads to authorization bypass. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
Common Weakness Enumeration
References
https://github.com/databendlabs/databend/issues/19930
https://github.com/databendlabs/databend/pull/19931
https://vuldb.com/cve/CVE-2026-13512
https://vuldb.com/submit/838874
https://vuldb.com/vuln/374520
https://vuldb.com/vuln/374520/cti