4 matches found
CVE-2026-45830
CVE-2026-45830 affects the ChromaDB Python project (version 0.4.17 and later). The lack of authorization validation allows any authenticated user to arbitrarily read, write, update, or delete data in any tenant’s collection, regardless of tenancy. The vulnerability is described with a CVSS 4.0 ba...
CVE-2026-45832
CVE-2026-45832 affects the Python project of ChromaDB. All V1 collection-level endpoints pass None for the tenant and database to the authorization layer, which allows attackers to bypass authorization controls when using the V1 endpoints. The reports do not provide any explicit remediation steps...
CVE-2026-45833
CVE-2026-45833 affects the ChromaDB Python project (version 0.4.17 and later). The issue is a code injection vulnerability where an authenticated attacker can execute arbitrary code on the server by supplying a malicious model repository and setting trust_remote_code to true in the API path /api/...
CVE-2026-45831
The CVE describes a vulnerability in the SimpleRBACAuthorizationProvider of the ChromaDB Python project (versions 0.5.0 and later). The issue is that it evaluates whether a user has a permission without validating the tenant/database/collection scope, enabling cross-tenant actions. This is the un...