A vulnerability was found in Databend up to 1.2.881 on HTTP. It has been classified as problematic . This affects the function ClientSessionManager::state_key of the file src/query/service/src/servers/http/v1/session/client_session_manager.rs of the component Tenant Handler . The manipulation leads to authorization bypass. This vulnerability is traded as CVE-2026-13512 . It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The pull request to fix this issue