PatchSiren cyber security CVE debrief
CVE-2026-8828 Chroma CVE debrief
CVE-2026-8828 is a high-severity vulnerability in the ChromaDB Rust project. A lack of authorization validation in version 1.0.0 or later allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection, regardless of which tenant they belong to. This vulnerability has a CVSS score of 8.8 and is considered HIGH severity.
- Vendor
- Chroma
- Product
- ChromaDB
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of ChromaDB Rust project version 1.0.0 or later, especially those with multi-tenant setups, should be aware of this vulnerability and take immediate action to mitigate the risk.
Technical summary
The ChromaDB Rust project suffers from a lack of authorization validation. This vulnerability allows any authenticated users to perform arbitrary read, write, update, or delete operations on data in any tenant's collection, irrespective of their own tenant affiliation.
Defensive priority
High
Recommended defensive actions
- Update to a patched version of ChromaDB Rust project as soon as available.
- Implement proper authorization validation for tenant data access.
- Restrict access to sensitive data and collections.
- Monitor for suspicious activity and implement additional security measures as needed.
Evidence notes
Evidence from Hiddenlayer indicates a potential vulnerability in ChromaDB Rust project.
Official resources
-
CVE-2026-8828 CVE record
CVE.org
-
CVE-2026-8828 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
6f8de1f0-f67e-45a6-b68f-98777fdb759c
CVE-2026-8828 was published on 2026-06-12T16:16:34.687Z and modified on 2026-06-12T16:22:33.843Z.