CVE-2026-13512

Source
https://cve.org/CVERecord?id=CVE-2026-13512
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13512.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-13512
Published
2026-06-28T22:45:10.824Z
Modified
2026-07-15T01:49:08.120663650Z
Severity
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Databend Tenant client_session_manager.rs state_key authorization
Details

A vulnerability was identified in Databend up to 1.2.881 on HTTP. This affects the function ClientSessionManager::statekey of the file src/query/service/src/servers/http/v1/session/clientsession_manager.rs of the component Tenant Handler. The manipulation leads to authorization bypass. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.

Database specific
{
    "cwe_ids": [
        "CWE-285",
        "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13512.json",
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/databendlabs/databend

Affected ranges

Type
GIT
Repo
https://github.com/databendlabs/databend
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "1.2.881"
        },
        {
            "last_affected": "1.2.881"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

1.*
1.2.881
v1.*
v1.2.881-nightly

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13512.json"