CVE-2026-45832

All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.

CVSS

No CVSS.

References

Link	Resource
https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-4

Configurations

No configuration.

History

12 Jun 2026, 16:23

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-12 16:16

Updated : 2026-06-12 16:23

NVD link : CVE-2026-45832

Mitre link : CVE-2026-45832

CVE.ORG link : CVE-2026-45832

JSON object : View

Products Affected

No product.

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-45832", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-06-12T16:16:28.933", "references": [{"url": "https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-4", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints."}], "lastModified": "2026-06-12T16:23:23.800", "sourceIdentifier": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}

CVE-2026-45832

JSON object

Attach tags to CVE-2026-45832

Attach tags to `CVE-2026-45832`