CVE-2026-45831
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk13th percentile - higher than 13% of all known CVEs
Summary
The SimpleRBACAuthorizationProvider in versions 0.5.0 or later of the ChromaDB Python project has a vulnerability that allows evaluating user permissions without checking which tenant, database, or collection those permissions apply to.
Risk Assessment
This could lead to unauthorized cross-tenant actions, posing a serious data security risk for the organization.
Recommendation
It is recommended to update to the latest version of ChromaDB and implement additional access controls to restrict cross-tenant actions.
Original NVD description (English source)
The SimpleRBACAuthorizationProvider authorization provider in versions 0.5.0 or later of the ChromaDB Python project evaluates whether a user holds a given permission but never checks which tenant, database, or collection that permission applies to allowing users to perform cross tenant actions.

