CVE-2026-45832

Summary

All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.

Affected Software

VendorProductVersion RangeStatus
ChromaChromaDB0.5.0 <= *affected

Weaknesses

  • CWE-639: CWE-639 Authorization bypass through User-Controlled key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

chromadb: ChromaDB: Authorization bypass in V1 collection-level endpoints

Additional References

References