Description
The SimpleRBACAuthorizationProvider authorization provider in versions 0.5.0 or later of the ChromaDB Python project evaluates whether a user holds a given permission but never checks which tenant, database, or collection that permission applies to allowing users to perform cross tenant actions.
Published: 2026-06-12
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SimpleRBACAuthorizationProvider in ChromaDB evaluates whether a user holds a given permission but neglects to verify the tenant, database, or collection to which that permission applies. As a result, an attacker who obtains any permission for an object can perform actions on objects belonging to other tenants, effectively bypassing data isolation and compromising confidentiality and integrity across tenant boundaries.

Affected Systems

Chroma:ChromaDB, versions 0.5.0 and later.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, indicating a high level of severity. EPSS data is unavailable, but the lack of tenant context makes it trivial for an authenticated user with any permission to exploit the flaw. The flaw is not listed in the CISA KEV catalog, but the potential for cross‑tenant data access remains significant. Attackers can likely trigger the flaw through ordinary API calls or other interfaces that invoke the authorization provider, requiring no special conditions beyond possessing a legitimate permission.

Generated by OpenCVE AI on June 12, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ChromaDB to a release that includes tenant, database, and collection validation in permission checks.
  • If no patch is available, enforce tenant scoping in your application by restricting the use of SimpleRBACAuthorizationProvider to tenant‑specific contexts and binding permissions to tenant identifiers.
  • Audit all permission evaluation points to confirm tenant verification and remediate any missing checks by adding explicit validation or middleware.

Generated by OpenCVE AI on June 12, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Chroma
Chroma chromadb
Vendors & Products Chroma
Chroma chromadb

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description The SimpleRBACAuthorizationProvider authorization provider in versions 0.5.0 or later of the ChromaDB Python project evaluates whether a user holds a given permission but never checks which tenant, database, or collection that permission applies to allowing users to perform cross tenant actions.
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Chroma Chromadb
cve-icon MITRE

Status: PUBLISHED

Assigner: HiddenLayer

Published:

Updated: 2026-06-12T16:22:00.578Z

Reserved: 2026-05-13T14:01:39.604Z

Link: CVE-2026-45831

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T16:16:28.797

Modified: 2026-06-12T16:23:23.800

Link: CVE-2026-45831

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T16:30:14Z

Weaknesses