Skip to main content

ChromaDB CVE-2026-45829

| EUVDEUVD-2026-30779 CRITICAL
Code Injection (CWE-94)
2026-05-18 HiddenLayer GHSA-f4j7-r4q5-qw2c
10.0
CVSS 4.0 · Vendor: HiddenLayer
Share

Severity by source

Vendor (HiddenLayer) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
10.0 CRITICAL
qualitative

Primary rating from Vendor (HiddenLayer).

CVSS VectorVendor: HiddenLayer

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 18, 2026 - 17:30 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on chromadb (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.0.0.

DescriptionCVE.org

A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.

AnalysisAI

Remote code execution in ChromaDB Python (version 1.0.0 and later) allows unauthenticated attackers to execute arbitrary code on the server by submitting a malicious model repository with trust_remote_code enabled via the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint. The flaw carries a maximum CVSS 4.0 score of 10.0 and was disclosed publicly by HiddenLayer; no public exploit identified at time of analysis, though detailed research has been published.

Technical ContextAI

ChromaDB is a popular open-source AI-native embedding database written in Python, commonly deployed as a vector store backing retrieval-augmented generation (RAG) pipelines and LLM applications. The vulnerability is a CWE-94 Improper Control of Generation of Code ('Code Injection') flaw in the collections REST API (/api/v2/tenants/{tenant}/databases/{db}/collections), where supplying a crafted model repository together with the trust_remote_code=true parameter causes ChromaDB to load and execute attacker-controlled Python from the referenced repository. This pattern mirrors known risks with Hugging Face transformers' trust_remote_code option, which downloads and runs arbitrary model code: ChromaDB exposes this dangerous capability over an unauthenticated network API, turning a library-level footgun into a remote primitive. The affected CPE is cpe:2.3:a:chroma:chromadb covering all 1.0.0 and later releases per the EUVD record.

RemediationAI

No vendor-released patch identified at time of analysis in the provided data, so operators should immediately monitor the upstream tracking issue at https://github.com/chroma-core/chroma/issues/6717 and the HiddenLayer advisory at https://www.hiddenlayer.com/research/chromatoast-served-pre-auth for a fixed release and upgrade ChromaDB to that patched version as soon as it is published. Until a patch is available, restrict network access to the ChromaDB API so the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint is not reachable from untrusted networks (firewall or service-mesh policies), place an authenticating reverse proxy in front of ChromaDB to eliminate the pre-auth attack surface, and where feasible reject or filter requests that include trust_remote_code=true or reference external model repositories at the proxy layer - note that filtering may break legitimate workflows that intentionally load remote model code. Additionally, run ChromaDB under a least-privileged service account in a network-segmented or container-isolated environment so that successful code execution does not yield broader host or cluster compromise.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

Share

CVE-2026-45829 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy