The vulnerability in ChromaDB version 0.5.0 arises from the SimpleRBACAuthorizationProvider's failure to validate the scope of permissions. While it checks if a user has a given permission, it does not confirm whether that permission applies to the specific tenant, database, or collection involved. This incorrect authorization (CWE-863) enables users with limited permissions to perform actions across tenants, violating tenant isolation principles.

Exploitation of this vulnerability can lead to unauthorized cross-tenant access and actions within ChromaDB, potentially exposing or modifying data belonging to other tenants. This breaks tenant isolation and could result in data leakage or unauthorized data manipulation. The CVSS 4.0 base score is 8.8 (high), indicating a significant impact on confidentiality, integrity, and availability with low attack complexity and no user interaction required.

No official patch or remediation is currently available for this vulnerability. Users of ChromaDB version 0.5.0 should monitor the vendor's advisories for updates. Until a fix is released, consider restricting access to trusted users only and applying compensating controls to limit cross-tenant access where possible.