CVE-2026-45832: ChromaDB V1 auth bypass exposes all

CISO Take

ChromaDB's V1 collection-level API endpoints contain a design flaw where None is passed as both tenant and database identifiers to the authorization layer, effectively nullifying multi-tenant access controls. In environments where ChromaDB is shared across teams, applications, or customer tenants — a common pattern in RAG-based AI platforms — this allows any user with API access to read, write, or delete collections belonging to any other tenant without restriction. No public exploit code has been confirmed and EPSS data is unavailable, but the exploitation path is trivially simple: issue any V1 collection endpoint call and the authorization layer cannot enforce isolation due to the None values it receives. Organizations running shared ChromaDB deployments should upgrade immediately and apply per-tenant instance isolation as a compensating control while patching.

Sources: NVD HiddenLayer Advisory ATLAS

What is the risk?

High risk for any multi-tenant ChromaDB deployment. The flaw is a logic error in the API layer — not a misconfiguration — meaning default installations are affected. Exploitation requires only network-level access to the ChromaDB API; no special credentials, elevated privileges, or AI/ML expertise are needed, placing this within reach of low-sophistication attackers. The impact is severe: complete tenant isolation collapses, exposing every stored embedding and associated document across all collections to unauthorized reads, writes, or deletion.

How does the attack unfold?

Initial Access

Attacker identifies an exposed ChromaDB instance — publicly reachable or accessible within a shared internal network — and gains API-level connectivity, requiring no special credentials in many default deployments.

AML.T0049

Authorization Bypass

Attacker calls V1 collection-level endpoints; ChromaDB internally passes None for tenant and database to the authorization layer, which cannot enforce tenant isolation and grants unrestricted access.

AML.T0107

Collection Enumeration

With authorization bypassed, attacker enumerates all collections across every tenant in the instance, mapping the full scope of accessible data stores with no access control checks blocking traversal.

AML.T0085.000

Data Exfiltration

Attacker extracts embeddings, associated source documents, and metadata from all accessible collections, potentially including PII, confidential business content, and proprietary knowledge base data belonging to other tenants.

AML.T0025

Initial Access

Attacker identifies an exposed ChromaDB instance — publicly reachable or accessible within a shared internal network — and gains API-level connectivity, requiring no special credentials in many default deployments.

AML.T0049

Authorization Bypass

Attacker calls V1 collection-level endpoints; ChromaDB internally passes None for tenant and database to the authorization layer, which cannot enforce tenant isolation and grants unrestricted access.

AML.T0107

Collection Enumeration

With authorization bypassed, attacker enumerates all collections across every tenant in the instance, mapping the full scope of accessible data stores with no access control checks blocking traversal.

AML.T0085.000

Data Exfiltration

Attacker extracts embeddings, associated source documents, and metadata from all accessible collections, potentially including PII, confidential business content, and proprietary knowledge base data belonging to other tenants.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
ChromaDB	pip	—	No patch
28.2K OpenSSF 5.0 1.2K dependents Pushed 6d ago 0% patched Full package profile →

Do you use ChromaDB? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Patch: Upgrade ChromaDB to the version addressing this issue — monitor the HiddenLayer advisory at hiddenlayer.com/sai-security-advisory/2026-06-chromadb-4 for the patched release.
Compensating control (immediate): Deploy separate ChromaDB instances per tenant rather than relying on internal authorization isolation.
Network isolation: Restrict ChromaDB API access to trusted internal services only via firewall or network policy — block all external/public exposure of port 8000.
Detection: Audit access logs for cross-tenant collection access; flag API calls to /api/v1/collections endpoints that return collections not mapped to the requesting user's tenant context.
Data exposure assessment: Inventory what sensitive data (PII, IP, internal documents) is stored across all collections and evaluate breach notification obligations if unauthorized access is confirmed.

How is it classified?

Auth Bypass Data Extraction RAG Framework AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0085.000 - RAG Databases AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 10 - Data and data governance

ISO 42001

A.6.2.3 - Access control for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to AI risks

OWASP LLM Top 10

LLM08 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2026-45832?

ChromaDB's V1 collection-level API endpoints contain a design flaw where None is passed as both tenant and database identifiers to the authorization layer, effectively nullifying multi-tenant access controls. In environments where ChromaDB is shared across teams, applications, or customer tenants — a common pattern in RAG-based AI platforms — this allows any user with API access to read, write, or delete collections belonging to any other tenant without restriction. No public exploit code has been confirmed and EPSS data is unavailable, but the exploitation path is trivially simple: issue any V1 collection endpoint call and the authorization layer cannot enforce isolation due to the None values it receives. Organizations running shared ChromaDB deployments should upgrade immediately and apply per-tenant instance isolation as a compensating control while patching.

Is CVE-2026-45832 actively exploited?

No confirmed active exploitation of CVE-2026-45832 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45832?

1. Patch: Upgrade ChromaDB to the version addressing this issue — monitor the HiddenLayer advisory at hiddenlayer.com/sai-security-advisory/2026-06-chromadb-4 for the patched release. 2. Compensating control (immediate): Deploy separate ChromaDB instances per tenant rather than relying on internal authorization isolation. 3. Network isolation: Restrict ChromaDB API access to trusted internal services only via firewall or network policy — block all external/public exposure of port 8000. 4. Detection: Audit access logs for cross-tenant collection access; flag API calls to /api/v1/collections endpoints that return collections not mapped to the requesting user's tenant context. 5. Data exposure assessment: Inventory what sensitive data (PII, IP, internal documents) is stored across all collections and evaluate breach notification obligations if unauthorized access is confirmed.

What systems are affected by CVE-2026-45832?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, vector databases, multi-tenant AI applications, agent frameworks with persistent memory, LLM application backends.

What is the CVSS score for CVE-2026-45832?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesvector databasesmulti-tenant AI applicationsagent frameworks with persistent memoryLLM application backends

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0085.000 RAG Databases

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Article 10

ISO 42001: A.6.2.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.

Exploitation Scenario

An attacker with any level of access to a shared ChromaDB deployment — for example, a low-privilege employee in a multi-tenant SaaS platform or a malicious user of an LLM application — sends standard GET requests to V1 collection-level endpoints without providing valid tenant or database parameters. Because ChromaDB internally passes None for these values to its authorization layer, the auth check cannot enforce tenant isolation and returns data across all tenants indiscriminately. The attacker systematically enumerates collections via paginated API calls, extracts all stored embeddings and their source documents — which may contain confidential business knowledge, customer PII, or proprietary RAG content ingested by other tenants — and exfiltrates the data silently with no anomalous authentication events in the logs, since the calls are technically authorized from the API's perspective.

Weaknesses (CWE)

CWE-639 Authorization Bypass Through User-Controlled Key CWE-639 Authorization Bypass Through User-Controlled Key

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

[Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
[Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.