CVE-2026-45830

Source
https://cve.org/CVERecord?id=CVE-2026-45830
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45830.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45830
Published
2026-06-12T14:46:54.823Z
Modified
2026-07-11T04:04:05.854431732Z
Severity
  • 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N CVSS Calculator
Summary
[none]
Details

A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "0.4.17"
                },
                {
                    "last_affected": "*"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45830.json",
    "cna_assigner": "HiddenLayer",
    "cwe_ids": [
        "CWE-639"
    ]
}
References

Affected packages

Git / github.com/chroma-core/chroma

Affected ranges

Type
GIT
Repo
https://github.com/chroma-core/chroma
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:trychroma:chromadb:*:*:*:*:*:python:*:*",
    "extracted_events": [
        {
            "introduced": "0.4.17"
        },
        {
            "last_affected": "1.5.9"
        }
    ]
}

Affected versions

0.*
0.4.17
0.4.19
0.4.20
0.4.21
0.4.23
0.4.24
0.5.0
0.5.1
0.5.10
0.5.11
0.5.12
0.5.13
0.5.14
0.5.15
0.5.16
0.5.17
0.5.18
0.5.19
0.5.2
0.5.20
0.5.21
0.5.23
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.9
0.6.0
0.6.1
0.6.2
0.6.3
1.*
1.0.0
1.0.10
1.0.11
1.0.12
1.0.13
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19
1.0.2
1.0.20
1.0.21
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.1.0
1.1.1
1.2.0
1.2.1
1.2.2
1.3.0
1.3.1
1.3.2
1.3.3
1.3.5
1.3.6
1.3.7
1.4.0
1.4.1
1.5.0
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
cli-1.*
cli-1.1.0
cli-1.1.10
cli-1.1.11
cli-1.1.2
cli-1.1.3
cli-1.1.4
cli-1.1.5
cli-1.1.6
cli-1.1.7
cli-1.1.8
cli-1.1.9
cli-1.2.0
cli-1.2.1
cli-1.2.2
cli-1.2.3
cli-1.2.4
cli-1.3.0
cli-1.3.1
cli-1.4.0
cli-1.4.1
cli-1.4.2
cli-1.4.3
cli-1.4.4
js_client_2.*
js_client_2.4.2
js_release_1.*
js_release_1.10.0
js_release_1.10.2
js_release_1.10.3
js_release_1.10.4
js_release_1.7.1
js_release_1.7.2
js_release_1.7.3
js_release_1.8.1
js_release_1.9.1
js_release_1.9.2
js_release_1.9.4
js_release_2.*
js_release_2.0.1
js_release_2.1.0
js_release_2.2.0
js_release_2.2.1
js_release_2.3.0
js_release_2.4.0
js_release_2.4.1
js_release_2.4.2
js_release_2.4.3
js_release_2.4.4
js_release_2.4.5
js_release_2.4.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45830.json"