CVE-2026-8828
published 2026-06-12CVE-2026-8828: A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or…
PriorityP353high8.8CVSS 4.0
AVNACLATPPRLUINVCHVIHVANSCHSIHSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.28%
19.6th percentile
A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chroma | chromadb | 1.0.0 – * | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Chroma ChromaDB 1.0.0 authorization
vuldb·2026-06-12·CVSS 8.8
CVE-2026-8828 [HIGH] Chroma ChromaDB 1.0.0 authorization
A vulnerability was found in Chroma ChromaDB 1.0.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation results in authorization bypass.
This vulnerability is identified as CVE-2026-8828. The attack can be executed remotely. There is not any exploit available.
GHSA
A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection r
ghsa_unreviewed·2026-06-12
CVE-2026-8828 [HIGH] CWE-639 A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection r
A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-12
Published