A max-severity vulnerability within the newest Python FastAPI model of the ChromaDB venture permits unauthenticated attackers to run arbitrary code on uncovered servers.
The flaw is tracked as CVE-2026-45829 and was reported to ChromaDB on February 17. It obtained the utmost severity rating from HiddenLayer, the corporate that found it.
ChromaDB is an open-source vector database and AI retrieval backend utilized in agentic AI and associated functions. It allows retrieving semantically related paperwork throughout large-language mannequin (LLM) inference.
The flaw impacts the codebase containing the weak Python API server logic, so the PyPI package deal, which has practically 14 million month-to-month downloads, is in danger when servers are accessible over HTTP.
Customers who deploy it domestically with out exposing the API server on-line together with these utilizing the Rust front-end, usually are not affected by CVE-2026-45829.
Based on HiddenLayer, a weak API endpoint marked as authenticated permits attackers to embed mannequin settings earlier than authentication is checked.
An attacker can ship a crafted request to drive ChromaDB to load a malicious mannequin from the Hugging Face platform and execute it domestically. The authentication examine is simply carried out after that step, bypassing safety.
“The authentication isn’t lacking, [it’s] simply within the incorrect place,” explains HiddenLayer.
“By the point it fires, the mannequin has already been fetched and executed. The server rejects the request, returns a 500, and the attacker’s payload has already run.”
Publicity and mitigation
The researchers report that the flaw was launched in ChromaDB 1.0.0 and was unpatched in model 1.5.8. Two weeks in the past, the maintainer launched model 1.5.9. Nonetheless, it stays unclear if the safety subject has been mounted.
Since February 17, HiddenLayer researchers have tried to contact the developer a number of instances over e mail and social media, however obtained no reply.
BleepingComputer contacted the Chroma workforce in regards to the standing of CVE-2026-45829 however had not obtained a response by the point of publication. We’ll replace this text if extra particulars turn into out there.
Based on their queries on Shodan, roughly 73% of the internet-exposed cases are working a weak model of Chroma.
Till it turns into clear that CVE-2026-45829 has been patched, the advice for impacted customers is to choose the Rust frontend for his or her deployments or keep away from exposing the Python server publicly. One other mitigation is to limit community entry to the ChromaDB API port.
The researchers additionally advocate scanning ML mannequin artifacts earlier than runtime as a result of loading public fashions with ‘trust_remote_code’ successfully means executing untrusted code.
Automated pentesting instruments ship actual worth, however they have been constructed to reply one query: can an attacker transfer by way of the community? They weren’t constructed to check whether or not your controls block threats, your detection guidelines hearth, or your cloud configs maintain.
This information covers the 6 surfaces you truly must validate.
