CVE Catalog

CVE-2026-45830

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

26th percentile - higher than 26% of all known CVEs

Summary

In ChromaDB Python version 0.4.17 and later, a missing authorization validation allows any authenticated user to arbitrarily read, write, update, or delete data in any tenant's collection regardless of their tenant membership.

Risk Assessment

The organization faces a breach of tenant data isolation, potentially leading to leakage, modification, or loss of sensitive business information.

Recommendation

Immediately update ChromaDB to a patched version or implement temporary firewall rules and API access restrictions.

Original NVD description (English source)

A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS