cbcvebase.

Chroma Chromadb vulnerabilities

6 known vulnerabilities affecting chroma/chromadb.

Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH5

Vulnerabilities

Page 1 of 1
CVE-2026-45829P1CRITICALCVSS 10.0≥ 1.0.0, ≤ *2026-05-18
CVE-2026-45829 [CRITICAL] CWE-94 CVE-2026-45829: A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.
ghsanvd
CVE-2026-45833P2HIGHCVSS 8.8≥ 0.4.17, ≤ *2026-06-12
CVE-2026-45833 [HIGH] CWE-94 CVE-2026-45833: A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an a A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} if they have the UPDATE_COLLE
nvd
CVE-2026-45830P3HIGHCVSS 8.8≥ 0.4.17, ≤ *2026-06-12
CVE-2026-45830 [HIGH] CWE-639 CVE-2026-45830: A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
nvd
CVE-2026-45832P3HIGHCVSS 8.8≥ 0.5.0, ≤ *2026-06-12
CVE-2026-45832 [HIGH] CWE-639 CVE-2026-45832: All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.
nvd
CVE-2026-45831P3HIGHCVSS 8.8≥ 0.5.0, ≤ *2026-06-12
CVE-2026-45831 [HIGH] CWE-863 CVE-2026-45831: The SimpleRBACAuthorizationProvider authorization provider in versions 0.5.0 or later of the ChromaD The SimpleRBACAuthorizationProvider authorization provider in versions 0.5.0 or later of the ChromaDB Python project evaluates whether a user holds a given permission but never checks which tenant, database, or collection that permission applies to allowing users to perform cross tenant actions.
nvd
CVE-2026-8828P3HIGHCVSS 8.8≥ 1.0.0, ≤ *2026-06-12
CVE-2026-8828 [HIGH] CWE-639 CVE-2026-8828: A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.
nvd
Chroma Chromadb vulnerabilities | cvebase