Cross-Tenant Data Access via IDOR in Collection Lookup
June 12, 2026
CVE Number
CVE-2026-45830
Summary
Any authenticated user with a valid collection UUID can read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to. ChromaDB's collection lookup skips the tenant and database filter when a UUID is provided.
Products Impacted
This vulnerability affects Python ChromaDB versions from 0.4.17 to the latest release.
CVSS Score: 8.8
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
CWE Categorization
CWE-639: Authorization Bypass Through User-Controlled Key
Details
The vulnerability is a chain of two code paths that together break tenant isolation:
The first one is the SQL query skips tenant filtering when a UUID is provided. chromadb/db/mixins/sysdb.py:504-520:
if id:
q = q.where(collections_t.id == ParameterValue(self.uuid_to_db(id)))
if name:
q = q.where(collections_t.name == ParameterValue(name))
# Only if we have a name, tenant and database do we need to filter databases
# Given an id, we can uniquely identify the collection so we don't need to filter databases
if id is None and tenant and database:
databases_t = Table("databases")
q = q.where(
collections_t.database_id
== self.querybuilder()
.select(databases_t.id)
.from_(databases_t)
.where(databases_t.name == ParameterValue(database))
.where(databases_t.tenant_id == ParameterValue(tenant))
)
The in-code comment added in commit 1faa69ec7f documents this as a deliberate design decision: "Given an id, we can uniquely identify the collection so we don't need to filter databases." When id is not None, the if id is None and tenant and database guard evaluates to False and the tenant/database subquery is never added. The query resolves the collection purely by UUID.
_get_collection() passes only the UUID, no tenant context. chromadb/api/segment.py:1010-1015:
@trace_method("SegmentAPI._get_collection", OpenTelemetryGranularity.ALL)
def _get_collection(self, collection_id: UUID) -> t.Collection:
collections = self._sysdb.get_collections(id=collection_id)
if not collections or len(collections) == 0:
raise NotFoundError(f"Collection {collection_id} does not exist.")
return collections[0]
This method is called from every data operation (_add, _get, _delete, _query, _update, _upsert). It takes only a collection_id and calls get_collections(id=collection_id) with no tenant or database arguments. Since the UUID is provided, the sysdb layer skips tenant filtering, and the collection is returned regardless of ownership.
Timeline
- February 17th, 2026 - Initial disclosure to ChromaDB per their security page https://www.trychroma.com/security.
- February 24th, 2026 - Attempted follow up through other trychroma emails.
- March 5th, 2026 - Attempted contact through IT-ISAC.
- April 16th, 2026 - Attempted final follow up through all previous channels and social media.
- May 18th, 2026 - Publicly disclosed a first vulnerability, no response from the vendor.
Project URL:
https://github.com/chroma-core/chroma/
RESEARCHER: Esteban Tonglet, Security Researcher, HiddenLayer
Related SAI Security Advisory
June 12, 2026
Post-Authentication RCE via update_collection
Any authenticated user with UPDATE_COLLECTION permission can achieve remote code execution by updating a collection's embedding function to reference a malicious HuggingFace model with trust_remote_code: true. The update_collection endpoint uses the same build_from_config() code path as CVE-2026-45829. Authentication runs before model loading, so this is not a pre-authentication issue, but the model instantiation itself is unguarded.
June 12, 2026
V1 API Tenant Isolation Bypass via Null Tenant/Database Context
All V1 collection-level endpoints pass None for tenant and database to the authorization layer, making tenant-scoped access control impossible through V1, regardless of which authorization provider is configured. V1 cannot be disabled. Combined with CVE-2026-45830, any authenticated user has unrestricted read/write access to any collection by UUID through V1 endpoints.