CVE-2026-45830
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk26th percentile - higher than 26% of all known CVEs
Summary
In ChromaDB Python version 0.4.17 and later, a missing authorization validation allows any authenticated user to arbitrarily read, write, update, or delete data in any tenant's collection regardless of their tenant membership.
Risk Assessment
The organization faces a breach of tenant data isolation, potentially leading to leakage, modification, or loss of sensitive business information.
Recommendation
Immediately update ChromaDB to a patched version or implement temporary firewall rules and API access restrictions.
Original NVD description (English source)
A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.

