CVE-2026-45830
published 2026-06-12CVE-2026-45830: A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update…
PriorityP354high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.34%
26.3th percentile
A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chroma | chromadb | 0.4.17 – * | — |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gaudi-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhelai3 | disk-image-cuda-rhel9 | — | — |
| rhoai | odh-autorag-rhel9 | — | — |
| trychroma | chromadb | 0.4.17 – 1.5.9 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Chroma ChromaDB up to 0.4.17 authorization
vuldb·2026-06-12·CVSS 8.8
CVE-2026-45830 [HIGH] Chroma ChromaDB up to 0.4.17 authorization
A vulnerability labeled as critical has been found in Chroma ChromaDB up to 0.4.17. The affected element is an unknown function. Executing a manipulation can lead to authorization bypass.
This vulnerability appears as CVE-2026-45830. The attack may be performed from remote. There is no available exploit.
GHSA
A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collectio
ghsa_unreviewed·2026-06-12
CVE-2026-45830 [HIGH] CWE-639 A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collectio
A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
Red Hat
chromadb: ChromaDB: Unauthorized data manipulation due to improper authorization validation
vendor_redhat·2026-06-12·CVSS 8.8
CVE-2026-45830 [HIGH] CWE-266 chromadb: ChromaDB: Unauthorized data manipulation due to improper authorization validation
chromadb: ChromaDB: Unauthorized data manipulation due to improper authorization validation
A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
A flaw was found in ChromaDB. A lack of authorization validation in the ChromaDB Python project allows any authenticated user to read, write, update, or delete data in any tenant's collection. This means an attacker can bypass intended access controls and manipulate data across different tenants, leading to unauthorized data access and modification.
Statement: This flaw is Post-authentication IDOR: ChromaDB resolves collections by UUID without tenant/datab
No detection rules found.
No public exploits indexed.
2026-06-12
Published