CVE-2026-8828

8.8HIGH

Key Information:

Vendor: Chroma
Status: Chromadb
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-8828?

A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.

Affected Version(s)

ChromaDB 1.0.0

References

https://www.hiddenlayer.com/sai-security-advisory/2026-06...

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
May 18, 2026

CVE-2026-8828 Data

JSON