CVE-2026-8828: ChromaDB tenant isolation bypass

CISO Take

ChromaDB's Rust implementation (v1.0.0+) contains a broken authorization flaw (CWE-639) that completely eliminates multi-tenant isolation: any authenticated user can read, write, update, or delete collections belonging to any other tenant in the same deployment. For organizations hosting shared ChromaDB instances — common in multi-tenant RAG applications, AI platforms, or SaaS products built on vector search — a single compromised or malicious tenant can exfiltrate all other tenants' vector embeddings and associated data. No privilege escalation is required; valid credentials for any tenant are sufficient to exploit this, making it trivially easy to weaponize with no specialized AI knowledge. Until a patched version is confirmed available, immediately restrict ChromaDB access to single-tenant configurations or enforce strict network-level controls preventing cross-tenant API access.

Sources: NVD HiddenLayer Security Advisory (hiddenlayer.com) ATLAS

What is the risk?

HIGH risk for any multi-tenant ChromaDB deployment. The vulnerability requires only valid authentication — no elevated privileges, no special tooling, and no AI/ML expertise. The blast radius in a shared deployment is total: all vector collections across all tenants are readable, writable, and deletable. For single-tenant deployments, risk is significantly reduced, but lateral movement post-compromise becomes trivial. The Rust implementation represents a newer, performance-optimized backend that organizations may be actively migrating to, potentially expanding exposure.

How does the attack unfold?

Initial Access

Attacker obtains valid credentials for any tenant in the target ChromaDB deployment — through self-registration, trial account creation, or credential theft from a low-privilege user.

AML.T0012

Authorization Bypass

Attacker crafts API requests specifying arbitrary tenant IDs, exploiting the missing authorization validation to freely access any collection outside their own tenant scope.

AML.T0049

Data Collection

Attacker reads vector embeddings, document chunks, and associated metadata from all other tenants' collections, exfiltrating proprietary knowledge base contents at scale.

AML.T0085.000

Impact

Attacker exfiltrates sensitive data encoded in victim embeddings and optionally writes poisoned entries to target tenants' RAG collections to manipulate downstream AI outputs.

AML.T0070

Initial Access

Attacker obtains valid credentials for any tenant in the target ChromaDB deployment — through self-registration, trial account creation, or credential theft from a low-privilege user.

AML.T0012

Authorization Bypass

Attacker crafts API requests specifying arbitrary tenant IDs, exploiting the missing authorization validation to freely access any collection outside their own tenant scope.

AML.T0049

Data Collection

Attacker reads vector embeddings, document chunks, and associated metadata from all other tenants' collections, exfiltrating proprietary knowledge base contents at scale.

AML.T0085.000

Impact

Attacker exfiltrates sensitive data encoded in victim embeddings and optionally writes poisoned entries to target tenants' RAG collections to manipulate downstream AI outputs.

AML.T0070

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
ChromaDB	pip	—	No patch
28.2K OpenSSF 5.0 1.2K dependents Pushed 6d ago 0% patched Full package profile →

Do you use ChromaDB? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Patch: Monitor ChromaDB releases and apply the authorization fix for the Rust implementation immediately upon availability — check the HiddenLayer advisory at hiddenlayer.com/sai-security-advisory/2026-06-chromadb-2 for remediation guidance.
Isolation: If patching is not immediately feasible, migrate to dedicated single-tenant ChromaDB instances per customer and remove any shared deployments.
Network controls: Restrict ChromaDB API access to the specific application service account for each tenant via firewall rules or service mesh policies.
Detection: Audit ChromaDB API logs for tenant ID mismatches — flag requests where the authenticated principal's tenant differs from the target collection's owning tenant.
Application-layer defense: Implement server-side tenant validation before every ChromaDB API call as a defense-in-depth control.
Credential rotation: Rotate all ChromaDB credentials to limit blast radius from any previously compromised tenant accounts.

How is it classified?

Auth Bypass Data Extraction Data Leakage RAG API Framework AML.T0012 - Valid Accounts AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0070 - RAG Poisoning AML.T0085.000 - RAG Databases

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.3 - Data governance and quality for AI

NIST AI RMF

MANAGE-2.2 - Mechanisms to address AI risks

OWASP LLM Top 10

LLM08 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2026-8828?

ChromaDB's Rust implementation (v1.0.0+) contains a broken authorization flaw (CWE-639) that completely eliminates multi-tenant isolation: any authenticated user can read, write, update, or delete collections belonging to any other tenant in the same deployment. For organizations hosting shared ChromaDB instances — common in multi-tenant RAG applications, AI platforms, or SaaS products built on vector search — a single compromised or malicious tenant can exfiltrate all other tenants' vector embeddings and associated data. No privilege escalation is required; valid credentials for any tenant are sufficient to exploit this, making it trivially easy to weaponize with no specialized AI knowledge. Until a patched version is confirmed available, immediately restrict ChromaDB access to single-tenant configurations or enforce strict network-level controls preventing cross-tenant API access.

Is CVE-2026-8828 actively exploited?

No confirmed active exploitation of CVE-2026-8828 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-8828?

1. Patch: Monitor ChromaDB releases and apply the authorization fix for the Rust implementation immediately upon availability — check the HiddenLayer advisory at hiddenlayer.com/sai-security-advisory/2026-06-chromadb-2 for remediation guidance. 2. Isolation: If patching is not immediately feasible, migrate to dedicated single-tenant ChromaDB instances per customer and remove any shared deployments. 3. Network controls: Restrict ChromaDB API access to the specific application service account for each tenant via firewall rules or service mesh policies. 4. Detection: Audit ChromaDB API logs for tenant ID mismatches — flag requests where the authenticated principal's tenant differs from the target collection's owning tenant. 5. Application-layer defense: Implement server-side tenant validation before every ChromaDB API call as a defense-in-depth control. 6. Credential rotation: Rotate all ChromaDB credentials to limit blast radius from any previously compromised tenant accounts.

What systems are affected by CVE-2026-8828?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, vector databases, multi-tenant AI applications, AI application platforms, knowledge base systems.

What is the CVSS score for CVE-2026-8828?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesvector databasesmulti-tenant AI applicationsAI application platformsknowledge base systems

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0035 AI Artifact Collection

AML.T0049 Exploit Public-Facing Application

AML.T0070 RAG Poisoning

AML.T0085.000 RAG Databases

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.9.3

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.

Exploitation Scenario

An adversary operating a low-privilege trial account on a SaaS platform backed by ChromaDB (Rust, v1.0.0+) discovers that the API accepts arbitrary tenant IDs without validating ownership. The attacker enumerates collection names from other tenants through API enumeration or error message leakage, then issues direct read queries against competitor or co-tenant collections — exfiltrating proprietary knowledge base embeddings that may contain confidential documents, customer data, or trade secrets encoded in vector form. In a secondary move, the attacker writes poisoned entries into a target tenant's RAG collection, causing that organization's AI assistant to return manipulated or malicious outputs — a RAG poisoning attack made possible by the same authorization gap, and one that may go undetected until the victim's users notice degraded or harmful AI responses.

Weaknesses (CWE)

CWE-639 Authorization Bypass Through User-Controlled Key CWE-639 Authorization Bypass Through User-Controlled Key

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

[Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
[Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.