Description
All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.
Published: 2026-06-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw causes every V1 collection‑level endpoint in the ChromaDB Python client to forward a null tenant and database to the authorization logic. This omission enables an attacker who can reach the API to invoke any V1 endpoint and gain access to data or perform operations that are normally protected by tenant or database boundaries. The vulnerability is an instance of CWE‑639, where required authorization checks are omitted, allowing unauthorized read or write capabilities.

Affected Systems

Chroma: ChromaDB’s Python project, specifically all V1 collection‑level endpoints. The affected product is the current release of the Python client; version details were not supplied in the advisory.

Risk and Exploitability

The CVSS score of 8.8 classifies the issue as high severity, and the EPSS score of <1% indicates a low likelihood of exploitation, though the lack of a CISA KEV listing does not mitigate the intrinsic risk. Attackers can exploit the flaw by sending standard API requests to the V1 endpoints, bypassing tenant and database restrictions without needing authentication or elevated privileges. The impact covers confidentiality, integrity, and availability of tenant‑isolated data, potentially affecting all users of the service.

Generated by OpenCVE AI on June 15, 2026 at 13:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest ChromaDB release that removes or secures V1 endpoints.
  • Disable or block V1 collection‑level endpoints if they are not required for your environment.
  • Configure the authorization layer to enforce presence and validation of tenant and database identifiers for every API call.

Generated by OpenCVE AI on June 15, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Trychroma
Trychroma chromadb
CPEs cpe:2.3:a:trychroma:chromadb:*:*:*:*:*:python:*:*
Vendors & Products Trychroma
Trychroma chromadb
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Mon, 15 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Authorization Bypass via V1 Collection‑Level Endpoints in ChromaDB chromadb: ChromaDB: Authorization bypass in V1 collection-level endpoints
Weaknesses CWE-551
References
Metrics threat_severity

None

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Important


Fri, 12 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title Authorization Bypass via V1 Collection‑Level Endpoints in ChromaDB

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Chroma
Chroma chromadb
Vendors & Products Chroma
Chroma chromadb

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}


Subscriptions

Chroma Chromadb
Trychroma Chromadb
cve-icon MITRE

Status: PUBLISHED

Assigner: HiddenLayer

Published:

Updated: 2026-06-30T12:10:17.648Z

Reserved: 2026-05-13T14:01:39.604Z

Link: CVE-2026-45832

cve-icon Vulnrichment

Updated: 2026-06-30T03:18:58.024Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-12T16:16:28.933

Modified: 2026-06-16T15:07:21.920

Link: CVE-2026-45832

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-12T15:11:46Z

Links: CVE-2026-45832 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T14:00:12Z

Weaknesses
  • CWE-551

    Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

  • CWE-639

    Authorization Bypass Through User-Controlled Key