Description
A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
Published: 2026-06-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in ChromaDB version 0.4.17 and newer allows any authenticated user to read, write, update, or delete data in any tenant’s collection, regardless of the tenant to which the user actually belongs. The flaw enables an attacker who only needs valid credentials to compromise confidentiality, integrity, and availability of data across all tenants.

Affected Systems

Chroma: ChromaDB, versions 0.4.17 and newer are affected.

Risk and Exploitability

The CVSS score of 8.8 indicates a high‑severity vulnerability. The EPSS score of 0.00038, representing less than 1% exploitation probability, indicates that the vulnerability is less likely to be exploited, but it does not diminish the risk posed by the high severity; an authenticated attacker can still immediately manipulate data across tenants. Attackers can leverage any authentication mechanism offering valid credentials—such as username/password combinations or tokens—to perform the unauthorized operations, making the flaw easily exploitable in environments where credential management or tenant isolation controls are weak.

Generated by OpenCVE AI on June 15, 2026 at 13:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest ChromaDB release that includes an authorization validation fix.
  • Configure tenant isolation controls to enforce that authenticated users can only access data belonging to their tenant.
  • Enable and review auditing of data access to detect and respond to cross‑tenant read/write activity.

Generated by OpenCVE AI on June 15, 2026 at 13:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Trychroma
Trychroma chromadb
CPEs cpe:2.3:a:trychroma:chromadb:*:*:*:*:*:python:*:*
Vendors & Products Trychroma
Trychroma chromadb
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Mon, 15 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Authenticated Authorization Bypass Enables Arbitrary Tenant Data Access in ChromaDB chromadb: ChromaDB: Unauthorized data manipulation due to improper authorization validation
Weaknesses CWE-266
References
Metrics threat_severity

None

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Important


Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Authenticated Authorization Bypass Enables Arbitrary Tenant Data Access in ChromaDB
First Time appeared Chroma
Chroma chromadb
Vendors & Products Chroma
Chroma chromadb

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}


Subscriptions

Chroma Chromadb
Trychroma Chromadb
cve-icon MITRE

Status: PUBLISHED

Assigner: HiddenLayer

Published:

Updated: 2026-06-30T12:10:18.404Z

Reserved: 2026-05-13T14:01:39.604Z

Link: CVE-2026-45830

cve-icon Vulnrichment

Updated: 2026-06-30T03:18:58.305Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T16:16:28.660

Modified: 2026-06-16T15:07:46.483

Link: CVE-2026-45830

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-12T14:46:54Z

Links: CVE-2026-45830 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T14:00:12Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment

  • CWE-639

    Authorization Bypass Through User-Controlled Key