A max-severity vulnerability within the newest Python FastAPI model of the ChromaDB challenge permits unauthenticated attackers to run arbitrary code on uncovered servers.
The flaw is tracked as CVE-2026-45829 and was reported to ChromaDB on February 17. It acquired the utmost severity rating from HiddenLayer, the corporate that found it.
ChromaDB is an open-source vector database and AI retrieval backend utilized in agentic AI and associated functions. It permits retrieving semantically related paperwork throughout large-language mannequin (LLM) inference.
The flaw impacts the codebase containing the susceptible Python API server logic, so the PyPI package deal, which has almost 14 million month-to-month downloads, is in danger when servers are accessible over HTTP.
Customers who deploy it domestically with out exposing the API server on-line together with these utilizing the Rust front-end, are usually not affected by CVE-2026-45829.
In accordance with HiddenLayer, a susceptible API endpoint marked as authenticated permits attackers to embed mannequin settings earlier than authentication is checked.
An attacker can ship a crafted request to pressure ChromaDB to load a malicious mannequin from the Hugging Face platform and execute it domestically. The authentication examine is just carried out after that step, bypassing safety.
“The authentication shouldn’t be lacking, [it’s] simply within the incorrect place,” explains HiddenLayer.
“By the point it fires, the mannequin has already been fetched and executed. The server rejects the request, returns a 500, and the attacker’s payload has already run.”
Publicity and mitigation
The researchers report that the flaw was launched in ChromaDB 1.0.0 and was unpatched in model 1.5.8. Two weeks in the past, the maintainer launched model 1.5.9. Nevertheless, it stays unclear if the safety challenge has been fastened.
Since February 17, HiddenLayer researchers have tried to contact the developer a number of occasions over electronic mail and social media, however acquired no reply.
BleepingComputer contacted the Chroma crew in regards to the standing of CVE-2026-45829 however had not acquired a response by the point of publication. We’ll replace this text if further particulars develop into obtainable.
In accordance with their queries on Shodan, roughly 73% of the internet-exposed situations are operating a susceptible model of Chroma.
Till it turns into clear that CVE-2026-45829 has been patched, the advice for impacted customers is to choose the Rust frontend for his or her deployments or keep away from exposing the Python server publicly. One other mitigation is to limit community entry to the ChromaDB API port.
The researchers additionally suggest scanning ML mannequin artifacts earlier than runtime as a result of loading public fashions with ‘trust_remote_code’ successfully means executing untrusted code.
Automated pentesting instruments ship actual worth, however they have been constructed to reply one query: can an attacker transfer by the community? They weren’t constructed to check whether or not your controls block threats, your detection guidelines hearth, or your cloud configs maintain.
This information covers the 6 surfaces you truly have to validate.
