Skip to content
← The Cyborg Log
Technical Explainer · Jun 13, 2026 · 2 min read

Tenant Isolation Keeps Breaking in Vector Databases

On June 12, ChromaDB disclosed four tenant isolation CVEs in a single coordinated advisory — the clearest signal yet that application-layer isolation is not an architectural solution.

On June 12, 2026, HiddenLayer published a coordinated advisory disclosing four tenant isolation vulnerabilities in ChromaDB. CVE-2026-45830 documents that any authenticated user can read, write, update, or delete data in any tenant’s collection regardless of which tenant they belong to (ChromaDB Python ≥ 0.4.17). CVE-2026-45831 shows that SimpleRBACAuthorizationProvider checks what permission a user holds but never which tenant, database, or collection it applies to. CVE-2026-45832 reveals that all V1 API collection endpoints pass None for tenant and database to the authorization layer — V1 routes nullify tenant isolation entirely. CVE-2026-8828 carries the same authorization failure in the Rust implementation (≥ 1.0.0). These four CVEs bring the total documented tenant isolation bypass count in the vector database ecosystem to 13 since March 2026, per the HiddenLayer advisory.

This is the same pattern that drove six Spring AI CVEs earlier this year. All six exploited the same assumption — that application-layer filters, RBAC, or defaults are sufficient for tenant isolation. The ChromaDB cluster makes that assumption explicit: CVE-2026-45831 shows RBAC confirmed the user held a permission but never verified where it applied. CVE-2026-45832 shows one call path opted out of tenant enforcement entirely, breaking the guarantee for every other path. Isolation enforced only in code can be bypassed by code that gets the logic wrong. That is not a fixable bug; it is a fixable architecture.

The question every multi-tenant vector DB deployment should answer

What does an attacker actually retrieve if they cross a tenant boundary? If the answer is “plaintext vectors,” the blast radius of any isolation failure — a misconfigured RBAC rule, a None parameter, a missed V1 route — is the full dataset. The architectural alternative is to make the question irrelevant: if vectors are encrypted with per-tenant keys that live outside the database, crossing a call path boundary yields only ciphertext. The isolation is mathematical, not logical.

CyborgDB uses per-tenant encryption: each tenant’s data is encrypted with tenant-scoped keys held in the customer’s KMS — Cyborg Inc. never receives them. Keys are fetched per-operation; the backing store holds only ciphertext.

If you run ChromaDB: Review HiddenLayer’s advisory for affected versions and patches. CVE-2026-45830 affects Python ≥ 0.4.17; CVE-2026-8828 affects Rust ≥ 1.0.0.

If you evaluate any multi-tenant vector DB: Ask how tenant isolation is enforced when a call path receives unexpected or null tenant context. The answer should describe a cryptographic boundary, not a conditional check.

If you audit your own stack: Map every API path that carries tenant context. Confirm each one enforces isolation independently — no path should assume a downstream layer handles it.


CVE details sourced from NVD and the HiddenLayer security advisory (published 2026-06-12). Published 2026-06-13.