A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45830.json
Published: 2026-06-12
Updated: 2026-07-15
Base Score: 9
Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C
Severity: High
Base Score: 8.8
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: High
Base Score: 8.8
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Severity: High
EPSS: 0.00038