CVE-2026-13512
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
A vulnerability was found in Databend up to version 1.2.881 on HTTP. The ClientSessionManager::state_key function in client_session_manager.rs allows authorization bypass. The attack can be performed remotely and the exploit is publicly available.
Risk Assessment
The organization is at risk of unauthorized access to resources and data in Databend, potentially leading to data confidentiality and integrity breaches.
Recommendation
Apply the available patch immediately or upgrade Databend to a version newer than 1.2.881. Until the fix is applied, restrict access to the HTTP interface.
Original NVD description (English source)
A vulnerability was identified in Databend up to 1.2.881 on HTTP. This affects the function ClientSessionManager::state_key of the file src/query/service/src/servers/http/v1/session/client_session_manager.rs of the component Tenant Handler. The manipulation leads to authorization bypass. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.

