PatchSiren cyber security CVE debrief
CVE-2026-45832 Chroma CVE debrief
CVE-2026-45832 is a HIGH-severity vulnerability in ChromaDB's Python project. The V1 collection-level endpoints pass None for tenant and database to the authorization layer, allowing attackers to bypass authorization controls. The vulnerability has a CVSS score of 8.8 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-45832).
- Vendor
- Chroma
- Product
- ChromaDB
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of ChromaDB's Python project should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The V1 collection-level endpoints in ChromaDB's Python project pass None for tenant and database to the authorization layer. This allows attackers to bypass authorization controls by using the V1 endpoints.
Defensive priority
HIGH
Recommended defensive actions
- Review and update ChromaDB's Python project to ensure proper authorization controls are in place.
- Use secure endpoints and follow best practices for authorization and authentication.
Evidence notes
Evidence from [ref-4](https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-4) indicates that ChromaDB's V1 collection-level endpoints have a vulnerability.
Official resources
-
CVE-2026-45832 CVE record
CVE.org
-
CVE-2026-45832 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
6f8de1f0-f67e-45a6-b68f-98777fdb759c
CVE-2026-45832 was published on 2026-06-12T16:16:28.933Z and modified on 2026-06-12T16:23:23.800Z.