The ChromaDB Python project version 0.4.17 suffers from an authorization bypass vulnerability (CWE-639) where authenticated users can manipulate data across tenant collections arbitrarily. The flaw is due to missing authorization validation on user-controlled keys, enabling unauthorized access and modification of data belonging to other tenants. This vulnerability has a CVSS 4.0 score of 8.8, indicating a high impact with network attack vector, low attack complexity, and requiring low privileges but partial user interaction. No official patch or remediation level has been published yet, and no known exploits are reported in the wild.

An attacker with valid authentication can bypass tenant isolation controls and perform unauthorized read, write, update, or delete operations on any tenant's data collections. This compromises data confidentiality, integrity, and availability across tenants in a multi-tenant environment.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to trusted users only and monitor for suspicious activity related to cross-tenant data access. Avoid deploying version 0.4.17 in multi-tenant environments where tenant data isolation is critical.