Executive Summary

CVE-2026-45832 is a security vulnerability in ChromaDB's Python project affecting versions 0.5.0 through the latest release. The issue lies in the V1 API's collection-level endpoints, which pass None for tenant and database parameters to the authorization layer. This causes the authorization checks to be bypassed because the system cannot enforce tenant-scoped access controls.

As a result, any authenticated user can gain unrestricted read and write access to collections identified by UUID through these endpoints, regardless of the configured authorization provider.

The flaw originates from the code in chromadb/server/fastapi/__init__.py, where the function responsible for syncing authorization and retrieving tenant and database information receives None values, which then propagate into the authorization resource and bypass tenant filtering.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any authenticated user to bypass authorization controls and gain unrestricted read and write access to collections in ChromaDB.

Such unauthorized access can lead to data exposure, data modification, or deletion of collections that should be protected by tenant-scoped access controls.

Given the high CVSS score of 8.8, the impact is severe, potentially compromising the confidentiality, integrity, and availability of data managed by ChromaDB.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the V1 API's collection-level endpoints in ChromaDB passing None for tenant and database parameters to the authorization layer, allowing bypass of tenant-scoped access controls.

To detect this vulnerability on your system, you can monitor or test access to the V1 collection-level endpoints, especially those that allow read and write operations on collections by UUID without tenant filtering.

Since the issue is related to authorization bypass via API endpoints, you might attempt to access collection-level endpoints with authenticated user credentials and verify if unauthorized access is possible.

Specific commands are not provided in the resources, but you could use tools like curl or HTTP clients to send requests to the V1 API endpoints and observe if tenant or database parameters are missing or ignored.

Example command to test unauthorized access (replace <API_URL> and <COLLECTION_UUID>):

• curl -X GET "<API_URL>/v1/collections/<COLLECTION_UUID>" -H "Authorization: Bearer <token>"

If access is granted without tenant or database restrictions, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability allows any authenticated user to bypass authorization controls on collection-level endpoints by passing None for tenant and database parameters.

Immediate mitigation steps include:

• Restrict access to the vulnerable V1 collection-level API endpoints until a patch or update is applied.
• Implement network-level controls such as firewall rules or API gateway policies to limit access to these endpoints.
• Monitor and audit API usage to detect any unauthorized access attempts.
• Contact ChromaDB or check for official patches or updates addressing this vulnerability and apply them as soon as they become available.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows any authenticated user to bypass tenant-scoped authorization controls and gain unrestricted read and write access to collections by UUID. Such unauthorized access to potentially sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict access controls and data confidentiality.

Because the authorization layer fails to enforce tenant and database restrictions, organizations using affected versions of ChromaDB may be unable to ensure proper data segregation and protection, increasing the risk of non-compliance with these standards.

Useful 0 Not Useful 0