CVE-2026-13512

Sažetak

A vulnerability was identified in Databend up to 1.2.881 on HTTP. This affects the function ClientSessionManager::state_key of the file src/query/service/src/servers/http/v1/session/client_session_manager.rs of the component Tenant Handler. The manipulation leads to authorization bypass. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance.

Reference

https://github.com/databendlabs/databend/issues/19930
https://github.com/databendlabs/databend/pull/19931
https://vuldb.com/cve/CVE-2026-13512
https://vuldb.com/submit/838874
https://vuldb.com/vuln/374520
https://vuldb.com/vuln/374520/cti

CVSS

Base:	6.5
Impact:	6.4
Exploitability:	8.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:S/C:P/I:P/A:P

Zadnje važnije ažuriranje

28-06-2026 - 23:16

Objavljeno

28-06-2026 - 23:16