CVE Catalog

CVE-2026-45832

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile - higher than 20% of all known CVEs

Summary

A vulnerability in ChromaDB allows bypassing authorization controls by using V1 endpoints, which pass None for tenant and database to the authorization layer.

Risk Assessment

An attacker can gain unauthorized access to data or perform operations on collections without proper permissions, compromising system confidentiality and integrity.

Recommendation

Immediately update ChromaDB to a version that fixes authorization handling for V1 endpoints, or apply temporary firewall rules blocking access to these endpoints.

Original NVD description (English source)

All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS