CVE-2026-8828 | A lack of authorization validation in version 1.0.0 or later… | CVSS 8.8 HIGH

Description

A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.

Metadata

CVE ID: CVE-2026-8828
State: PUBLISHED
Assigner: HiddenLayer
Reserved: 2026-05-18 13:23 UTC
Published: 2026-06-12 14:50 UTC
Last updated: 2026-06-12 16:00 UTC
Primary CWE: CWE-639
CWE-639 Authorization bypass through User-Controlled key
Vendor / Product: Chroma / ChromaDB
Sources: cve.org · NVD

Severity & Metrics

8.8 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Chroma	ChromaDB	—	1.0.0 ≤ *

Weakness (CWE)

CWE	Source	Description
CWE-639	cna	CWE-639 Authorization bypass through User-Controlled key

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.8	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

References (1)

https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-2