Which versions of ChromaDB are affected by EUVD-2026-36484?

ChromaDB, a widely-used Python vector database deployed in AI/ML infrastructure, contains a critical authenticated remote code execution vulnerability (CVE-2026-45833, CVSS 9.4) affecting versions…

How to fix or mitigate EUVD-2026-36484?

WITHIN 24 HOURS: Identify all ChromaDB instances (0.4.17+) and audit UPDATE_COLLECTION permission holders; assess network exposure. WITHIN 7 DAYS: Restrict UPDATE_COLLECTION permissions to essential administrative accounts only; implement network segmentation to limit ChromaDB access; enable audit logging on collection update operations. WITHIN 30 DAYS: Apply vendor-released patch immediately upon availability; conduct forensic review of collection update logs for indicators of exploitation.

ChromaDB EUVD-2026-36484

Q: What is the CVSS score of EUVD-2026-36484?

EUVD-2026-36484 has a CVSS 4.0 base score of 9.4 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-45833 CRITICAL

Code Injection (CWE-94)

2026-06-12 HiddenLayer

GHSA-36p7-vc44-83pf

Python Code Injection RCE Chromadb

9.4

CVSS 4.0 · Vendor: HiddenLayer

Severity by source

Vendor (HiddenLayer) PRIMARY

9.4 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

8.8 HIGH

Network-reachable HTTP endpoint, low complexity, requires an authenticated token with UPDATE_COLLECTION (PR:L), no user interaction, and arbitrary code execution yields full C/I/A impact on the ChromaDB host.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (HiddenLayer).

CVSS VectorVendor: HiddenLayer

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 12, 2026 - 16:27 vuln.today

DescriptionCVE.org

A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} if they have the UPDATE_COLLECTION permission.

Articles & Coverage 2

News 5 New Python Vulnerabilities - 1 Critical, 4 High Severity Jun 13, 2026 News Critical RCE in ChromaDB Python Client - CVE-2026-45833 Jun 12, 2026

AnalysisAI

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the UPDATE_COLLECTION permission to execute arbitrary code on the server by submitting a malicious model repository with trust_remote_code=true to the collection update endpoint. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.4 and HiddenLayer's disclosure indicate a high-severity flaw in a widely used AI vector database. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain UPDATE_COLLECTION-scoped API token

Delivery

Stage malicious model repository with trust_remote_code loader

Exploit

Send crafted PUT to /api/v2/.../collections/{id}

Execution

ChromaDB fetches and loads attacker repo

Persist

Python code executes in server process

Impact

Exfiltrate embeddings, secrets, and pivot

Access

Obtain UPDATE_COLLECTION-scoped API token

Delivery

Stage malicious model repository with trust_remote_code loader

Exploit

Send crafted PUT to /api/v2/.../collections/{id}

Execution

ChromaDB fetches and loads attacker repo

Persist

Python code executes in server process

Impact

Exfiltrate embeddings, secrets, and pivot

Vulnerability AssessmentAI

Exploitation	Exploitation requires (1) an authenticated API token holding the UPDATE_COLLECTION permission on the targeted collection, (2) network reachability to the ChromaDB HTTP API on the /api/v2/tenants/{tenant}/databases/{database}/collections/{collection_id} route, and (3) the ability for the ChromaDB host to fetch the attacker-supplied model repository (typically outbound HTTPS to a model registry such as Hugging Face). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N with VC:H/VI:H/VA:H and subsequent-system SC:H/SI:H/SA:H reflects a network-reachable, low-complexity, single-privilege-level attack with total impact on the host and downstream systems - appropriate given that successful exploitation yields code execution under the ChromaDB service account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has obtained an API token with UPDATE_COLLECTION (e.g., a leaked CI token, a compromised internal RAG service account, or a tenant in a multi-tenant deployment) issues a PUT against /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} pointing the embedding model field at an attacker-controlled Hugging Face-style repository with trust_remote_code=true. When ChromaDB loads the model, the attacker's Python is executed in the ChromaDB process, yielding shell access on the server, theft of stored embeddings and API keys, and a pivot point into the broader RAG pipeline. …
Remediation	No vendor-released patch identified at time of analysis from the supplied data; consult the HiddenLayer advisory at https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-5 and the upstream chroma-core/chroma GitHub repository for an updated chromadb release before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

WITHIN 24 HOURS: Identify all ChromaDB instances (0.4.17+) and audit UPDATE_COLLECTION permission holders; assess network exposure. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48039 CRITICAL Act Now POC

9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac

CVE-2026-48031 CRITICAL Act Now

9.1 Jun 10

Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) a

CVE-2026-11393 HIGH This Week

8.8 Jun 08

Remote code execution in AWS AgentCore CLI before v0.14.2 allows authenticated attackers to inject Python code via craft

CVE-2026-20251 HIGH This Week

8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil

CVE-2026-45830 HIGH This Week

8.8 Jun 12

Cross-tenant data access in ChromaDB Python project version 0.4.17 and later allows any authenticated user to read, writ

EUVD-2026-36484 vulnerability details – vuln.today

Back