Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (HiddenLayer).
CVSS VectorVendor: HiddenLayer
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1Blast Radius
ecosystem impact- 1 pypi packages depend on chromadb (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.0.0.
DescriptionCVE.org
A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.
AnalysisAI
Remote code execution in ChromaDB Python (version 1.0.0 and later) allows unauthenticated attackers to execute arbitrary code on the server by submitting a malicious model repository with trust_remote_code enabled via the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint. The flaw carries a maximum CVSS 4.0 score of 10.0 and was disclosed publicly by HiddenLayer; no public exploit identified at time of analysis, though detailed research has been published.
Technical ContextAI
ChromaDB is a popular open-source AI-native embedding database written in Python, commonly deployed as a vector store backing retrieval-augmented generation (RAG) pipelines and LLM applications. The vulnerability is a CWE-94 Improper Control of Generation of Code ('Code Injection') flaw in the collections REST API (/api/v2/tenants/{tenant}/databases/{db}/collections), where supplying a crafted model repository together with the trust_remote_code=true parameter causes ChromaDB to load and execute attacker-controlled Python from the referenced repository. This pattern mirrors known risks with Hugging Face transformers' trust_remote_code option, which downloads and runs arbitrary model code: ChromaDB exposes this dangerous capability over an unauthenticated network API, turning a library-level footgun into a remote primitive. The affected CPE is cpe:2.3:a:chroma:chromadb covering all 1.0.0 and later releases per the EUVD record.
RemediationAI
No vendor-released patch identified at time of analysis in the provided data, so operators should immediately monitor the upstream tracking issue at https://github.com/chroma-core/chroma/issues/6717 and the HiddenLayer advisory at https://www.hiddenlayer.com/research/chromatoast-served-pre-auth for a fixed release and upgrade ChromaDB to that patched version as soon as it is published. Until a patch is available, restrict network access to the ChromaDB API so the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint is not reachable from untrusted networks (firewall or service-mesh policies), place an authenticating reverse proxy in front of ChromaDB to eliminate the pre-auth attack surface, and where feasible reject or filter requests that include trust_remote_code=true or reference external model repositories at the proxy layer - note that filtering may break legitimate workflows that intentionally load remote model code. Additionally, run ChromaDB under a least-privileged service account in a network-segmented or container-isolated environment so that successful code execution does not yield broader host or cluster compromise.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-94 – Code Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30779
GHSA-f4j7-r4q5-qw2c