Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Requires authenticated access plus knowledge of a victim's UUID session ID (AC:H); crosses tenant security boundary (S:C); no availability impact confirmed.
Primary rating from Vendor (vuldb).
CVSS VectorVendor: vuldb
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was identified in Databend up to 1.2.881 on HTTP. This affects the function ClientSessionManager::state_key of the file src/query/service/src/servers/http/v1/session/client_session_manager.rs of the component Tenant Handler. The manipulation leads to authorization bypass. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.
AnalysisAI
Tenant isolation bypass in Databend up to 1.2.881 allows an authenticated remote attacker to access or corrupt session state belonging to users in other tenants by exploiting a missing tenant dimension in the ClientSessionManager session key derivation. The state_key function generated keys using only username and client_session_id, enabling key collisions across tenants sharing a server process - a flaw confirmed by the PR #19931 diff which adds tenant scoping to all key construction paths. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Databend session with at least low-privilege access (PR:L per CVSS vector), confirming unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 2.1 (AV:N/AC:L/AT:N/PR:L/UI:N with VC:L/VI:L/VA:L and E:P) accurately reflects the bounded impact: exploitation is limited to session-scoped objects (temporary tables, session variables) and requires authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user in Tenant A authenticates to the Databend HTTP v1 API and, through observation of their own session traffic or via a side channel, obtains the client_session_id UUID and username of an active session in Tenant B. The attacker submits an HTTP query request referencing that session ID; because state_key omits the tenant prefix, the ClientSessionManager resolves the key to Tenant B's session namespace, granting the attacker read or write access to Tenant B's temporary tables and session variables. … |
| Remediation | No vendor-released patched version is confirmed at time of analysis - the upstream fix is pending acceptance as PR #19931 (https://github.com/databendlabs/databend/pull/19931). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40009
GHSA-m84g-jvj9-9qg6