Description
All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.
Published: 2026-06-12
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw causes every V1 collection‑level endpoint in the ChromaDB Python client to forward a null tenant and database to the authorization logic. This omission enables an attacker who can reach the API to invoke any V1 endpoint and gain access to data or perform operations that are normally protected by tenant or database boundaries. The vulnerability is an instance of CWE‑639, where required authorization checks are omitted, allowing unauthorized read or write capabilities.

Affected Systems

Chroma: ChromaDB’s Python project, specifically all V1 collection‑level endpoints. The affected product is the current release of the Python client; version details were not supplied in the advisory.

Risk and Exploitability

The CVSS score of 8.8 classifies the issue as high severity, and although EPSS data is not available, the lack of a CISA KEV listing does not mitigate the intrinsic risk. Attackers can exploit the flaw by sending standard API requests to the V1 endpoints, bypassing tenant and database restrictions without needing authentication or elevated privileges. The impact covers confidentiality, integrity, and availability of tenant‑isolated data, potentially affecting all users of the service.

Generated by OpenCVE AI on June 12, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest ChromaDB release that removes or secures V1 endpoints.
  • Disable or block V1 collection‑level endpoints if they are not required for your environment.
  • Configure the authorization layer to enforce presence and validation of tenant and database identifiers for every API call.

Generated by OpenCVE AI on June 12, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title Authorization Bypass via V1 Collection‑Level Endpoints in ChromaDB

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Chroma
Chroma chromadb
Vendors & Products Chroma
Chroma chromadb

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Chroma Chromadb
cve-icon MITRE

Status: PUBLISHED

Assigner: HiddenLayer

Published:

Updated: 2026-06-12T16:20:54.122Z

Reserved: 2026-05-13T14:01:39.604Z

Link: CVE-2026-45832

cve-icon Vulnrichment

Updated: 2026-06-12T16:19:53.297Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T16:16:28.933

Modified: 2026-06-12T16:23:23.800

Link: CVE-2026-45832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T17:00:07Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key