CVE-2026-45832

8.8HIGH

Key Information:

Vendor: Chroma
Status: Chromadb
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-45832?

All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.

Affected Version(s)

ChromaDB 0.5.0

References

https://www.hiddenlayer.com/sai-security-advisory/2026-06...

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-45832 Data

JSON