CVE-2026-45832: All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorizatio
Summary
CVE-2026-45832 is a vulnerability in ChromaDB's Python project where V1 collection-level endpoints (API access points for managing data collections) pass None (empty/null values) for the tenant and database parameters to the authorization layer, allowing attackers with login credentials to bypass authorization controls (security checks that verify what users are allowed to do) by using these older endpoints. The vulnerability has a CVSS score (0-10 severity rating) of 8.8, indicating it is high-severity.
Vulnerability Details
EPSS: 0.0%
June 12, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2026-26190: Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus expose
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-45832
First tracked: June 12, 2026 at 08:09 PM
Classified by LLM (prompt v3) · confidence: 92%