CVE Catalog

CVE-2026-45831

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

13th percentile - higher than 13% of all known CVEs

Summary

The SimpleRBACAuthorizationProvider in versions 0.5.0 or later of the ChromaDB Python project has a vulnerability that allows evaluating user permissions without checking which tenant, database, or collection those permissions apply to.

Risk Assessment

This could lead to unauthorized cross-tenant actions, posing a serious data security risk for the organization.

Recommendation

It is recommended to update to the latest version of ChromaDB and implement additional access controls to restrict cross-tenant actions.

Original NVD description (English source)

The SimpleRBACAuthorizationProvider authorization provider in versions 0.5.0 or later of the ChromaDB Python project evaluates whether a user holds a given permission but never checks which tenant, database, or collection that permission applies to allowing users to perform cross tenant actions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS