CVE-2026-45830

high

Description

A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.

References

https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45830.json

https://bugzilla.redhat.com/show_bug.cgi?id=2488408

https://access.redhat.com/security/cve/CVE-2026-45830

Details

Source: Mitre, NVD

Published: 2026-06-12

Updated: 2026-07-15

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.8

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

CVSS v4

Base Score: 8.8

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Severity: High

EPSS

EPSS: 0.00038