{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-8828: A lack of authorization validation in version 1","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-8828","status":"final","version":"1","initial_release_date":"2026-06-12T14:50:32.788Z","current_release_date":"2026-06-12T16:00:39.467Z","revision_history":[{"date":"2026-06-12T14:50:32.788Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-8828 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-8828"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-8828"},{"category":"external","summary":"hiddenlayer.com","url":"https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-2"}]},"product_tree":{"branches":[{"category":"vendor","name":"Chroma","branches":[{"category":"product_name","name":"ChromaDB","branches":[{"category":"product_version_range","name":">=1.0.0 <=*","product":{"name":"Chroma ChromaDB >=1.0.0 <=*","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:chroma:chromadb:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-8828","title":"A lack of authorization validation in version 1","notes":[{"category":"description","text":"A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N","baseScore":8.8,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}