Description
A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
Published: 2026-06-12
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in ChromaDB versions 1.0.0 and later permits any authenticated user to read, write, update, or delete data in any tenant’s collection regardless of their own tenant membership. The flaw therefore enables complete compromise of data confidentiality, integrity and availability for all tenants sharing the same deployment.

Affected Systems

The affected product is ChromaDB, version 1.0.0 or newer, supplied by Chroma. No specific sub‑versions are listed in the CNA data; any release in the 1.x series inherits the vulnerability.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability. EPSS information is not available, and the flaw is not listed in the CISA KEV catalog, so the current exploitation probability is unknown. The likely attack vector requires authentication, meaning any victim user account can exploit the flaw. Once authenticated, an attacker can exfiltrate or poison data for other tenants, potentially leading to loss of trust, regulatory breach, or service disruption if key data is manipulated. The absence of proven exploits suggests a moderate to high risk given the vulnerability’s severity and the ease of exploitation once credentials are obtained.

Generated by OpenCVE AI on June 12, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest patched release of ChromaDB that includes proper tenant ownership validation.
  • Enforce network segmentation to isolate the ChromaDB deployment from other systems and monitor for anomalous cross‑tenant API calls.
  • Review and strengthen application code to validate tenant identity on every request, and implement automated tests to confirm boundary enforcement.

Generated by OpenCVE AI on June 12, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Title Arbitrary Data Access and Modification in ChromaDB due to Missing Authorization Checks
First Time appeared Chroma
Chroma chromadb
Vendors & Products Chroma
Chroma chromadb

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Chroma Chromadb
cve-icon MITRE

Status: PUBLISHED

Assigner: HiddenLayer

Published:

Updated: 2026-06-12T16:00:39.467Z

Reserved: 2026-05-18T13:23:36.281Z

Link: CVE-2026-8828

cve-icon Vulnrichment

Updated: 2026-06-12T16:00:35.036Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T16:16:34.687

Modified: 2026-06-12T16:22:33.843

Link: CVE-2026-8828

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T16:45:07Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key