Description
The SimpleRBACAuthorizationProvider authorization provider in versions 0.5.0 or later of the ChromaDB Python project evaluates whether a user holds a given permission but never checks which tenant, database, or collection that permission applies to allowing users to perform cross tenant actions.
Published: 2026-06-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SimpleRBACAuthorizationProvider in ChromaDB evaluates whether a user holds a given permission but neglects to verify the tenant, database, or collection to which that permission applies, representing a missing authorization flaw (CWE-863). This results in an improper restriction of operations within the bounds of a resource (CWE-1220) that allows attackers with any permission to perform actions on objects belonging to other tenants, effectively bypassing data isolation and compromising confidentiality and integrity across tenant boundaries.

Affected Systems

Chroma:ChromaDB, versions 0.5.0 and later.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating a high level of severity. EPSS score of < 1% indicates a very low probability of exploitation, suggesting that while the flaw is severe, it is unlikely to be actively exploited. The flaw is not listed in the CISA KEV catalog, but the potential for cross-tenant data access remains significant. Attackers can likely trigger the flaw through ordinary API calls or other interfaces that invoke the authorization provider, requiring no special conditions beyond possessing a legitimate permission.

Generated by OpenCVE AI on June 15, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ChromaDB to a release that includes tenant, database, and collection validation in permission checks.
  • If no patch is available, enforce tenant scoping in your application by restricting the use of SimpleRBACAuthorizationProvider to tenant-specific contexts and binding permissions to tenant identifiers.
  • Audit all permission evaluation points to confirm tenant verification and remediate any missing checks by adding explicit validation or middleware.

Generated by OpenCVE AI on June 15, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Trychroma
Trychroma chromadb
CPEs cpe:2.3:a:trychroma:chromadb:*:*:*:*:*:python:*:*
Vendors & Products Trychroma
Trychroma chromadb
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Mon, 15 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title ChromaDB: ChromaDB: Unauthorized cross-tenant actions due to improper authorization checks
Weaknesses CWE-1220
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Moderate


Fri, 12 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Chroma
Chroma chromadb
Vendors & Products Chroma
Chroma chromadb

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description The SimpleRBACAuthorizationProvider authorization provider in versions 0.5.0 or later of the ChromaDB Python project evaluates whether a user holds a given permission but never checks which tenant, database, or collection that permission applies to allowing users to perform cross tenant actions.
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}


Subscriptions

Chroma Chromadb
Trychroma Chromadb
cve-icon MITRE

Status: PUBLISHED

Assigner: HiddenLayer

Published:

Updated: 2026-06-12T16:22:00.578Z

Reserved: 2026-05-13T14:01:39.604Z

Link: CVE-2026-45831

cve-icon Vulnrichment

Updated: 2026-06-12T16:21:50.679Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T16:16:28.797

Modified: 2026-06-16T15:07:38.287

Link: CVE-2026-45831

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-12T15:03:58Z

Links: CVE-2026-45831 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T15:00:10Z

Weaknesses
  • CWE-1220

    Insufficient Granularity of Access Control

  • CWE-863

    Incorrect Authorization