{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-45830: A lack of authorization validation in version 0","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-45830","status":"final","version":"1","initial_release_date":"2026-06-12T14:46:54.823Z","current_release_date":"2026-06-12T16:01:19.525Z","revision_history":[{"date":"2026-06-12T14:46:54.823Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-45830 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-45830"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-45830"},{"category":"external","summary":"hiddenlayer.com","url":"https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb"}]},"product_tree":{"branches":[{"category":"vendor","name":"Chroma","branches":[{"category":"product_name","name":"ChromaDB","branches":[{"category":"product_version_range","name":">=0.4.17 <=*","product":{"name":"Chroma ChromaDB >=0.4.17 <=*","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:chroma:chromadb:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-45830","title":"A lack of authorization validation in version 0","notes":[{"category":"description","text":"A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N","baseScore":8.8,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}