CVE-2026-45832 | THREATINT

Description

All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.

PUBLISHED Reserved 2026-05-13 | Published 2026-06-12 | Updated 2026-06-12 | Assigner HiddenLayer

HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Problem types

CWE-639 Authorization bypass through User-Controlled key

Product status

Default status

unaffected

0.5.0 (custom)

affected

References

www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-4

cve.org (CVE-2026-45832)

nvd.nist.gov (CVE-2026-45832)

Download JSON