VYPR
← All advisories
High severityNVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-45830

CVE-2026-45830

Description

ChromaDB versions 0.4.17+ allow any authenticated user to access any tenant's collection by UUID, bypassing tenant isolation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ChromaDB versions 0.4.17+ allow any authenticated user to access any tenant's collection by UUID, bypassing tenant isolation.

Vulnerability

A missing authorization check in ChromaDB Python versions 0.4.17 through the latest release (as of the advisory date) allows any authenticated user to read, write, update, or delete data in any tenant's collection. The flaw resides in the SQL query logic within chromadb/db/mixins/sysdb.py (lines 504–520). When a collection UUID is provided, the query skips tenant and database filtering because the code assumes a UUID uniquely identifies a collection. This design decision, documented in an in-code comment, means that the _get_collection() method in chromadb/api/segment.py passes only the UUID without any tenant context, enabling cross-tenant access [1].

Exploitation

An attacker must be an authenticated user of the ChromaDB instance (any privilege level) and know a valid collection UUID. With that UUID, they can directly call API endpoints that accept a collection ID, such as get_collection, add, update, delete, etc. The server will resolve the collection purely by UUID, ignoring the tenant and database scoping that would normally restrict access. No additional authentication or authorization checks are performed [1].

Impact

Successful exploitation allows the attacker to arbitrarily read, write, update, or delete data in any tenant's collection, regardless of which tenant they belong to. This breaks tenant isolation, leading to potential information disclosure, data corruption, or data loss. The attacker gains the same level of access as the legitimate tenant owner for that collection, effectively escalating privileges across tenants [1].

Mitigation

As of the advisory publication date (2026-06-12), no patched version of ChromaDB has been released. Users are advised to restrict network access to the ChromaDB API to trusted clients only, monitor logs for unauthorized access attempts, and consider implementing additional tenant-scoping controls at the network or application layer until a fix is available [1].

References
  1. HiddenLayer SAI Security Advisory | ChromaDB

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The SQL query in `get_collections()` skips tenant/database filtering when a collection UUID is provided, allowing any authenticated user to access collections across tenant boundaries."

Attack vector

An attacker who is already authenticated to ChromaDB can read, write, update, or delete data in any tenant's collection by supplying the target collection's UUID. The `_get_collection()` method [ref_id=1] calls `get_collections(id=collection_id)` without passing any tenant or database context. Because the SQL query in `sysdb.py` [ref_id=1] only applies tenant/database filtering when `id` is `None`, providing a UUID bypasses all tenant isolation checks [CWE-639]. This allows the attacker to arbitrarily manipulate any collection whose UUID they know or can enumerate.

Affected code

The vulnerability spans two code paths. First, `chromadb/db/mixins/sysdb.py:504-520` [ref_id=1] contains the SQL query builder that conditionally adds tenant/database filtering only when `id is None`. Second, `chromadb/api/segment.py:1010-1015` [ref_id=1] calls `get_collections(id=collection_id)` without supplying tenant or database parameters, so the tenant filter is never applied.

What the fix does

The advisory [ref_id=1] identifies that the root cause is a deliberate design decision documented in an in-code comment: "Given an id, we can uniquely identify the collection so we don't need to filter databases." No patch is shown in the supplied bundle. The remediation would require modifying the SQL query in `sysdb.py` to enforce tenant and database filtering even when a UUID is provided, or ensuring that `_get_collection()` in `segment.py` passes tenant context alongside the UUID so that the caller's tenant is validated before returning the collection.

Preconditions

  • authAttacker must be an authenticated user of the ChromaDB instance
  • inputAttacker must know or be able to enumerate a valid collection UUID belonging to another tenant
  • configThe ChromaDB version must be 0.4.17 or later

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.