CVE-2026-45830: ChromaDB auth bypass exposes any

CISO Take

ChromaDB versions 0.4.17 and later contain a tenant isolation failure where any authenticated user can read, write, update, or delete collections belonging to any other tenant — regardless of their own tenant assignment. For teams running shared ChromaDB instances backing multi-tenant RAG or AI agent platforms, this means a single compromised or malicious user account has unrestricted access to every other tenant's vector store, including embedded documents, retrieved context, and proprietary data. No public exploit or KEV listing exists at this time and EPSS data is pending, but the attack requires only valid authentication and is trivially reproducible — no elevated privileges or AI/ML expertise needed. Until a patched release is confirmed, restrict ChromaDB to single-tenant deployments, enforce network-level isolation, or place an authorization proxy in front of all collection API calls.

Sources: NVD ATLAS hiddenlayer.com

What is the risk?

HIGH risk for multi-tenant deployments. CWE-639 (IDOR) with unrestricted cross-tenant scope makes this a near-zero-effort privilege escalation for any authenticated user. The blast radius in shared SaaS platforms is severe: full read, write, and delete access across all tenants' vector collections. Single-tenant deployments have reduced but non-zero risk where internal user boundary violations remain possible. No EPSS data is available yet; exploitation complexity is trivial once authentication is obtained, making this a high-likelihood abuse scenario in production multi-tenant environments.

How does the attack unfold?

Initial Access

Adversary obtains valid credentials to a multi-tenant ChromaDB instance through account registration, credential theft, or insider access — no privilege escalation required.

AML.T0012

Authorization Bypass

Adversary crafts API requests targeting other tenants' collection IDs, exploiting the absent tenant-scoped authorization check to cross tenant boundaries.

AML.T0049

Collection Enumeration & Exfiltration

Adversary lists and queries all accessible collections across tenants, extracting vector embeddings and reconstructable source documents from any target tenant.

AML.T0085.000

Impact

Adversary exfiltrates proprietary RAG data, injects poisoned embeddings to corrupt victim RAG pipeline outputs, or deletes collections for targeted denial of service against specific tenants.

AML.T0070

Initial Access

Adversary obtains valid credentials to a multi-tenant ChromaDB instance through account registration, credential theft, or insider access — no privilege escalation required.

AML.T0012

Authorization Bypass

Adversary crafts API requests targeting other tenants' collection IDs, exploiting the absent tenant-scoped authorization check to cross tenant boundaries.

AML.T0049

Collection Enumeration & Exfiltration

Adversary lists and queries all accessible collections across tenants, extracting vector embeddings and reconstructable source documents from any target tenant.

AML.T0085.000

Impact

Adversary exfiltrates proprietary RAG data, injects poisoned embeddings to corrupt victim RAG pipeline outputs, or deletes collections for targeted denial of service against specific tenants.

AML.T0070

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
ChromaDB	pip	—	No patch
28.2K OpenSSF 5.0 1.2K dependents Pushed 6d ago 0% patched Full package profile →

Do you use ChromaDB? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

IMMEDIATE

Audit whether your ChromaDB deployment is multi-tenant. If yes, enforce network isolation — restrict ChromaDB access to a single trusted service account per tenant with no direct client exposure.
PATCH

Monitor ChromaDB GitHub releases and PyPI for a fix; update immediately when available and validate tenant isolation in post-patch testing.
DETECT

Review ChromaDB access logs for requests where the authenticated user's tenant context does not match the queried collection's owning tenant.
WORKAROUND

Deploy separate ChromaDB instances per tenant (instance-level isolation) to eliminate the shared authorization surface.
COMPENSATING CONTROL

Place an authorization proxy in front of ChromaDB that enforces tenant-scoped collection ACLs before any request reaches the database layer.

How is it classified?

Auth Bypass Data Extraction Data Leakage RAG AML.T0012 - Valid Accounts AML.T0036 - Data from Information Repositories AML.T0049 - Exploit Public-Facing Application AML.T0070 - RAG Poisoning AML.T0085.000 - RAG Databases

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

A.6.1.3 - Access Control for AI Systems

NIST AI RMF

GOVERN 1.7 - Processes for AI Risk — Data Boundaries

OWASP LLM Top 10

LLM08:2025 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2026-45830?

ChromaDB versions 0.4.17 and later contain a tenant isolation failure where any authenticated user can read, write, update, or delete collections belonging to any other tenant — regardless of their own tenant assignment. For teams running shared ChromaDB instances backing multi-tenant RAG or AI agent platforms, this means a single compromised or malicious user account has unrestricted access to every other tenant's vector store, including embedded documents, retrieved context, and proprietary data. No public exploit or KEV listing exists at this time and EPSS data is pending, but the attack requires only valid authentication and is trivially reproducible — no elevated privileges or AI/ML expertise needed. Until a patched release is confirmed, restrict ChromaDB to single-tenant deployments, enforce network-level isolation, or place an authorization proxy in front of all collection API calls.

Is CVE-2026-45830 actively exploited?

No confirmed active exploitation of CVE-2026-45830 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45830?

1. IMMEDIATE: Audit whether your ChromaDB deployment is multi-tenant. If yes, enforce network isolation — restrict ChromaDB access to a single trusted service account per tenant with no direct client exposure. 2. PATCH: Monitor ChromaDB GitHub releases and PyPI for a fix; update immediately when available and validate tenant isolation in post-patch testing. 3. DETECT: Review ChromaDB access logs for requests where the authenticated user's tenant context does not match the queried collection's owning tenant. 4. WORKAROUND: Deploy separate ChromaDB instances per tenant (instance-level isolation) to eliminate the shared authorization surface. 5. COMPENSATING CONTROL: Place an authorization proxy in front of ChromaDB that enforces tenant-scoped collection ACLs before any request reaches the database layer.

What systems are affected by CVE-2026-45830?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, vector databases, multi-tenant AI platforms, agent frameworks.

What is the CVSS score for CVE-2026-45830?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesvector databasesmulti-tenant AI platformsagent frameworks

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0036 Data from Information Repositories

AML.T0049 Exploit Public-Facing Application

AML.T0070 RAG Poisoning

AML.T0085.000 RAG Databases

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.1.3

NIST AI RMF: GOVERN 1.7

OWASP LLM Top 10: LLM08:2025

What are the technical details?

Original Advisory

A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.

Exploitation Scenario

An adversary registers a legitimate account on a SaaS platform backed by a shared ChromaDB instance. Using their valid authentication token, they enumerate collection names across other tenants by calling the list-collections API without tenant filtering — or by iterating predictable naming conventions. They then issue get and query calls against target collections, extracting the full vector store of a competitor tenant including embedded proprietary documents used to ground their RAG system. For a more impactful attack, they inject poisoned embeddings directly into a victim tenant's collection, causing that tenant's RAG pipeline to silently retrieve adversary-controlled context and influence downstream LLM outputs — a cross-tenant RAG poisoning attack requiring no exploit code, only a valid account.

Weaknesses (CWE)

CWE-639 Authorization Bypass Through User-Controlled Key CWE-639 Authorization Bypass Through User-Controlled Key

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

[Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
[Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.