Impact
The SimpleRBACAuthorizationProvider in ChromaDB evaluates whether a user holds a given permission but neglects to verify the tenant, database, or collection to which that permission applies, representing a missing authorization flaw (CWE-863). This results in an improper restriction of operations within the bounds of a resource (CWE-1220) that allows attackers with any permission to perform actions on objects belonging to other tenants, effectively bypassing data isolation and compromising confidentiality and integrity across tenant boundaries.
Affected Systems
Chroma:ChromaDB, versions 0.5.0 and later.
Risk and Exploitability
The vulnerability carries a CVSS score of 8.8, indicating a high level of severity. EPSS score of < 1% indicates a very low probability of exploitation, suggesting that while the flaw is severe, it is unlikely to be actively exploited. The flaw is not listed in the CISA KEV catalog, but the potential for cross-tenant data access remains significant. Attackers can likely trigger the flaw through ordinary API calls or other interfaces that invoke the authorization provider, requiring no special conditions beyond possessing a legitimate permission.
OpenCVE Enrichment