CVE-2026-8828: A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users
Summary
ChromaDB Rust (version 1.0.0 and later) has a security flaw where authorization validation (checking whether a user has permission to access data) is missing, allowing any logged-in user to read, write, update, or delete data from any tenant's collection (a storage area for data), even if they shouldn't have access to it. This is rated as HIGH severity with a CVSS score (a 0-10 rating of how severe a vulnerability is) of 8.8.
Vulnerability Details
EPSS: 0.0%
June 12, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-8828
First tracked: June 12, 2026 at 08:09 PM
Classified by LLM (prompt v3) · confidence: 92%