← All CVEs

CVE-2026-45832

HIGH 8.8

Published 2026-06-12 · Last modified 2026-06-30

All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.

ELEVATED IMPACT

Severe if exploited (CVSS 8.8), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

0.3%chance of exploitation in 30 days · 20th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

8.8CVSS 4.0 · HIGH

  • ConfidentialityHigh
  • IntegrityHigh
  • AvailabilityNone

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: Requires a low-privilege account
  • User interaction: No user interaction needed
  • Complexity: No special conditions — reliably repeatable
  • Requirements: Specific conditions must be present

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Chroma Red Hat

Products Chromadb Red Hat Enterprise Linux Ai (Rhel Ai) 3 Red Hat Openshift Ai (Rhoai)

Weakness (CWE)

  • CWE-639: Authorization bypass
  • CWE-551

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Sources: NVD · CVE.org · EPSS