Skip to main content

Databend EUVDEUVD-2026-40009

| CVE-2026-13512 LOW
Improper Authorization (CWE-285)
2026-06-28 cna@vuldb.com GHSA-m84g-jvj9-9qg6
2.1
CVSS 4.0 · Vendor: vuldb

Severity by source

Vendor (vuldb) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.9 MEDIUM

Requires authenticated access plus knowledge of a victim's UUID session ID (AC:H); crosses tenant security boundary (S:C); no availability impact confirmed.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (vuldb).

CVSS VectorVendor: vuldb

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 28, 2026 - 23:31 vuln.today
Analysis Generated
Jun 28, 2026 - 23:31 vuln.today

DescriptionCVE.org

A vulnerability was identified in Databend up to 1.2.881 on HTTP. This affects the function ClientSessionManager::state_key of the file src/query/service/src/servers/http/v1/session/client_session_manager.rs of the component Tenant Handler. The manipulation leads to authorization bypass. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.

AnalysisAI

Tenant isolation bypass in Databend up to 1.2.881 allows an authenticated remote attacker to access or corrupt session state belonging to users in other tenants by exploiting a missing tenant dimension in the ClientSessionManager session key derivation. The state_key function generated keys using only username and client_session_id, enabling key collisions across tenants sharing a server process - a flaw confirmed by the PR #19931 diff which adds tenant scoping to all key construction paths. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege HTTP API user
Delivery
Obtain victim tenant's username and active client_session_id UUID
Exploit
Craft HTTP query request referencing victim session ID
Execution
state_key collision bypasses tenant boundary in ClientSessionManager
Impact
Read or overwrite victim's temporary tables and session variables

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Databend session with at least low-privilege access (PR:L per CVSS vector), confirming unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 2.1 (AV:N/AC:L/AT:N/PR:L/UI:N with VC:L/VI:L/VA:L and E:P) accurately reflects the bounded impact: exploitation is limited to session-scoped objects (temporary tables, session variables) and requires authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user in Tenant A authenticates to the Databend HTTP v1 API and, through observation of their own session traffic or via a side channel, obtains the client_session_id UUID and username of an active session in Tenant B. The attacker submits an HTTP query request referencing that session ID; because state_key omits the tenant prefix, the ClientSessionManager resolves the key to Tenant B's session namespace, granting the attacker read or write access to Tenant B's temporary tables and session variables. …
Remediation No vendor-released patched version is confirmed at time of analysis - the upstream fix is pending acceptance as PR #19931 (https://github.com/databendlabs/databend/pull/19931). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40009 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy