PatchSiren

Chroma CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Chroma CVE published 2026-06-12

CVE-2026-8828

CVE-2026-8828 is a high-severity vulnerability in the ChromaDB Rust project. A lack of authorization validation in version 1.0.0 or later allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection, regardless of which tenant they belong to. This vulnerability has a CVSS score of 8.8 and is considered HIGH severity.

CRITICAL Chroma CVE published 2026-06-12

CVE-2026-45833

CVE-2026-45833 is a critical code injection vulnerability in the ChromaDB Python project, affecting versions 0.4.17 or later. An authenticated attacker with the UPDATE_COLLECTION permission can exploit this vulnerability by sending a malicious model repository and setting trust_remote_code to true in the /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} endpoint, allowi [truncated]

HIGH Chroma CVE published 2026-06-12

CVE-2026-45832

CVE-2026-45832 is a HIGH-severity vulnerability in ChromaDB's Python project. The V1 collection-level endpoints pass None for tenant and database to the authorization layer, allowing attackers to bypass authorization controls. The vulnerability has a CVSS score of 8.8 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-45832).

HIGH Chroma CVE published 2026-06-12

CVE-2026-45831

CVE-2026-45831 is a HIGH severity vulnerability in the ChromaDB Python Project's SimpleRBACAuthorizationProvider. The vulnerability has a CVSS score of 8.8. The SimpleRBACAuthorizationProvider authorization provider in versions 0.5.0 or later evaluates whether a user holds a given permission but never checks which tenant, database, or collection that permission applies to, allowing users to perform cross- [truncated]

HIGH Chroma CVE published 2026-06-12

CVE-2026-45830

CVE-2026-45830 is a HIGH severity vulnerability in the ChromaDB Python project. The vulnerability affects versions 0.4.17 or later and allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection, regardless of which tenant they belong to. The vulnerability has a CVSS score of 8.8 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-45830).

CRITICAL Chroma CVE published 2026-05-18

CVE-2026-45829

CVE-2026-45829 is a critical pre-authentication code injection issue affecting version 1.0.0 and later of the ChromaDB Python project. According to the published description, an unauthenticated attacker can send a malicious model repository to the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint and, when trust_remote_code is set to true, achieve arbitrary code execution on the server. NVD lis [truncated]