Description
A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
Published: 2026-06-12
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in ChromaDB version 0.4.17 and newer allows any authenticated user to read, write, update, or delete data in any tenant’s collection, regardless of the tenant to which the user actually belongs. The flaw enables an attacker who only needs valid credentials to compromise confidentiality, integrity, and availability of data across all tenants.

Affected Systems

Chroma: ChromaDB, versions 0.4.17 and newer are affected.

Risk and Exploitability

The CVSS score of 8.8 indicates a high‑severity vulnerability. While the EPSS score is not available, the lack of the KEV listing does not diminish the risk; an authenticated attacker can immediately exploit the flaw to manipulate data across tenants. Attackers can leverage any authentication mechanism offering valid credentials—such as username/password combinations or tokens—to perform the unauthorized operations, making the flaw easily exploitable in environments where credential management or tenant isolation controls are weak.

Generated by OpenCVE AI on June 12, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest ChromaDB release that includes an authorization validation fix.
  • Configure tenant isolation controls to enforce that authenticated users can only access data belonging to their tenant.
  • Enable and review auditing of data access to detect and respond to cross‑tenant read/write activity.

Generated by OpenCVE AI on June 12, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Authenticated Authorization Bypass Enables Arbitrary Tenant Data Access in ChromaDB
First Time appeared Chroma
Chroma chromadb
Vendors & Products Chroma
Chroma chromadb

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Chroma Chromadb
cve-icon MITRE

Status: PUBLISHED

Assigner: HiddenLayer

Published:

Updated: 2026-06-12T16:01:19.525Z

Reserved: 2026-05-13T14:01:39.604Z

Link: CVE-2026-45830

cve-icon Vulnrichment

Updated: 2026-06-12T16:01:15.310Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T16:16:28.660

Modified: 2026-06-12T16:23:23.800

Link: CVE-2026-45830

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T16:30:14Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key