CVE-2026-45832
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk20th percentile - higher than 20% of all known CVEs
Summary
A vulnerability in ChromaDB allows bypassing authorization controls by using V1 endpoints, which pass None for tenant and database to the authorization layer.
Risk Assessment
An attacker can gain unauthorized access to data or perform operations on collections without proper permissions, compromising system confidentiality and integrity.
Recommendation
Immediately update ChromaDB to a version that fixes authorization handling for V1 endpoints, or apply temporary firewall rules blocking access to these endpoints.
Original NVD description (English source)
All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.

