{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-45830","assignerOrgId":"6f8de1f0-f67e-45a6-b68f-98777fdb759c","state":"PUBLISHED","assignerShortName":"HiddenLayer","dateReserved":"2026-05-13T14:01:39.604Z","datePublished":"2026-06-12T14:46:54.823Z","dateUpdated":"2026-06-12T16:01:19.525Z"},"containers":{"cna":{"providerMetadata":{"orgId":"6f8de1f0-f67e-45a6-b68f-98777fdb759c","shortName":"HiddenLayer","dateUpdated":"2026-06-12T14:46:54.823Z"},"problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-639","description":"CWE-639 Authorization bypass through User-Controlled key","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-1","descriptions":[{"lang":"en","value":"CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}],"affected":[{"vendor":"Chroma","product":"ChromaDB","packageName":"chromadb","repo":"https://github.com/chroma-core/chroma","versions":[{"status":"affected","version":"0.4.17","lessThanOrEqual":"*","versionType":"custom"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.","supportingMedia":[{"type":"text/html","base64":false,"value":"A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to."}]}],"references":[{"url":"https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","subConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","subIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"HIGH","baseScore":8.8,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"}}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.2"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-12T16:01:09.734596Z","id":"CVE-2026-45830","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-12T16:01:19.525Z"}}]}}