| Título | Databend Labs Databend main branch commit 21377cd76bb1e84f92bfc9da1acc881b8841f1de; affected versions unknown CWE-639 Authorization Bypass Through User-Controlled Key |
|---|
| Descrição | A vulnerability was found in Databend main branch commit 21377cd76bb1e84f92bfc9da1acc881b8841f1de and classified as medium severity.
Affected is the HTTP client session state handling for temporary tables. The function ClientSessionManager::state_key in src/query/service/src/servers/http/v1/session/client_session_manager.rs builds an in-memory state key from user_name and client_session_id only. The same non-tenant-scoped key shape is also used for HTTP temporary table prefixes via Session::get_temp_table_prefix in src/query/service/src/sessions/session.rs. Tenant identity is a security-relevant namespace in Databend, but it is not part of this key.
An authenticated client can use HTTP session support through X-DATABEND-CLIENT-CAPS: session_header and X-DATABEND-SESSION. The request tenant may be selected through X-DATABEND-TENANT before authentication. If two tenants contain the same user name and a client session id collides or is replayed, both tenant contexts address the same in-memory temporary table session state entry on the same query node.
Authentication required: yes. User interaction required: no.
Technical Details
- Affected file/function: src/query/service/src/servers/http/v1/session/client_session_manager.rs / ClientSessionManager::state_key, on_query_start, add_temp_tbl_mgr
- Related file/function: src/query/service/src/sessions/session.rs / Session::get_temp_table_prefix
- Related file/function: src/query/sql/src/planner/binder/ddl/table.rs / temporary table OPT_KEY_TEMP_PREFIX insertion
- Vulnerable parameter: HTTP client session id and user name; tenant is omitted from the state key
- Attack vector: Network
- Privileges required: Low
- Trigger condition: two authenticated tenant contexts use the same user name and client_session_id while temporary table state is resident in memory on the same query node
Impact
- Confidentiality: Low
- Integrity: Low
- Availability: None
CVSS v3.1
Score: 5.4 (Medium)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Timeline
- Discovered: 2026-05-27
- Vendor notified: 2026-05-27
- Patch released: [unknown]
- Public disclosure: [unknown]
Countermeasure
Include tenant identity in the HTTP temporary table/session state key and use the tenant-scoped key consistently for temporary table prefixing, registration, restore, refresh, and cleanup. Existing non-tenant-scoped session state should be invalidated or migrated safely. |
|---|
| Fonte | ⚠️ https://github.com/databendlabs/databend/issues/19930 |
|---|
| Utilizador | Dem000000 (UID 98564) |
|---|
| Submissão | 27/05/2026 15h05 (há 1 mês) |
|---|
| Moderação | 28/06/2026 08h31 (1 month later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 374520 [Databend até 1.2.881 em HTTP Tenant client_session_manager.rs state_key Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|