Common Weakness Enumeration

CWE-551

Allowed

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Abstraction: Base · Status: Incomplete

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

21 vulnerabilities reference this CWE, most recent first.

GHSA-X97M-F58V-9CWG

Vulnerability from github – Published: 2026-06-12 18:31 – Updated: 2026-06-30 03:37
VLAI
Details

All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45832"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-551",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-12T16:16:28Z",
    "severity": "HIGH"
  },
  "details": "All V1 collection-level endpoints in ChromaDB\u0027s Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints.",
  "id": "GHSA-x97m-f58v-9cwg",
  "modified": "2026-06-30T03:37:02Z",
  "published": "2026-06-12T18:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45832"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-45832"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488411"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45832.json"
    },
    {
      "type": "WEB",
      "url": "https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

URL Inputs should be decoded and canonicalized to the application's current internal representation before being validated and processed for authorization. Make sure that your application does not decode the same input twice. Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.