ChromaDB Max-Severity Flaw CVE-2026-45829 Allows Server Hijacking
A critical vulnerability, tracked as CVE-2026-45829, has been discovered in ChromaDB's Python FastAPI implementation, allowing unauthenticated attackers to execute arbitrary code on exposed servers. The flaw, identified by security researchers at HiddenLayer, received a maximum severity score and affects ChromaDB versions 1.0.0 through 1.5.8. ChromaDB is an open-source vector database widely used in AI applications for semantic document retrieval during large language model (LLM) inference, with the Python package receiving nearly 14 million monthly downloads from PyPI.
The vulnerability exists in the API server logic where authentication checks occur after critical operations are executed. According to HiddenLayer's analysis, the authentication mechanism is not absent but positioned incorrectly in the code execution flow. Attackers can send crafted requests to force ChromaDB to load malicious models from Hugging Face and execute them locally before authentication occurs, resulting in the server returning a 500 error while the attacker's payload has already run. Organizations running vulnerable instances should immediately restrict network access to their ChromaDB API and consider using the Rust frontend which is not affected by this flaw.
HiddenLayer reported the vulnerability to ChromaDB developers on February 17 but has received no response despite multiple email and social media outreach attempts. Shodan queries reveal approximately 73% of internet-exposed Chroma instances are running vulnerable versions. While version 1.5.9 was released two weeks ago, it remains unclear whether CVE-2026-45829 has been properly patched. Organizations can use tools like our port scanner to identify exposed ChromaDB instances and VPN/proxy detector to check for unauthorized reverse proxies that could facilitate attacks. Additionally, scanning ML model artifacts before runtime is recommended since loading public models with 'trust_remote_code' effectively executes untrusted code on your infrastructure.