PatchSiren cyber security CVE debrief
CVE-2026-45831 Chroma CVE debrief
CVE-2026-45831 is a HIGH severity vulnerability in the ChromaDB Python Project's SimpleRBACAuthorizationProvider. The vulnerability has a CVSS score of 8.8. The SimpleRBACAuthorizationProvider authorization provider in versions 0.5.0 or later evaluates whether a user holds a given permission but never checks which tenant, database, or collection that permission applies to, allowing users to perform cross-tenant actions.
- Vendor
- Chroma
- Product
- ChromaDB
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of ChromaDB Python Project's SimpleRBACAuthorizationProvider, particularly those using versions 0.5.0 or later, should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The SimpleRBACAuthorizationProvider authorization provider in ChromaDB Python Project versions 0.5.0 or later has a vulnerability that allows users to perform cross-tenant actions. This is because the provider evaluates whether a user holds a given permission but never checks which tenant, database, or collection that permission applies to.
Defensive priority
HIGH
Recommended defensive actions
- Update to a patched version of ChromaDB Python Project's SimpleRBACAuthorizationProvider, if available.
- Implement additional access controls to restrict cross-tenant actions.
Evidence notes
The vulnerability was reported by Hiddenlayer.
Official resources
-
CVE-2026-45831 CVE record
CVE.org
-
CVE-2026-45831 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
6f8de1f0-f67e-45a6-b68f-98777fdb759c
CVE-2026-45831 was published on 2026-06-12T16:16:28.797Z and modified on 2026-06-12T16:23:23.800Z.