CVE-2026-45831
Awaiting Analysis Awaiting Analysis - Queue
Cross-Tenant Permission Bypass in ChromaDB

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: HiddenLayer

Description
The SimpleRBACAuthorizationProvider authorization provider in versions 0.5.0 or later of the ChromaDB Python project evaluates whether a user holds a given permission but never checks which tenant, database, or collection that permission applies to allowing users to perform cross tenant actions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-45831
EUVD
EUVD-2026-36482
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chroma chrodadb From 0.5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the SimpleRBACAuthorizationProvider component of the ChromaDB Python project, starting from version 0.5.0. The issue is that while the provider checks if a user has a certain permission, it does not verify the context of that permission, such as which tenant, database, or collection it applies to. As a result, users can perform actions across different tenants, bypassing intended access restrictions.

Compliance Impact

The vulnerability in the SimpleRBACAuthorizationProvider allows users to perform cross-tenant actions without proper tenant, database, or collection checks. This could lead to unauthorized access to data across tenants.

Such unauthorized cross-tenant access may result in violations of data protection regulations like GDPR and HIPAA, which require strict access controls and data segregation to protect personal and sensitive information.

Impact Analysis

Because the authorization provider does not restrict permissions to specific tenants, databases, or collections, an attacker or unauthorized user with certain permissions could perform actions on resources they should not have access to. This can lead to unauthorized data access, data leakage, or manipulation across tenant boundaries, potentially compromising data confidentiality and integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45831. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart