CVE-2026-45829 — AWAITING NVD

CISO Take

ChromaDB versions ≥1.0.0 contain a pre-authentication remote code execution flaw in the collection creation API endpoint that allows any unauthenticated network attacker to execute arbitrary code on the server by submitting a crafted malicious model repository with trust_remote_code set to true — no credentials, no user interaction required. ChromaDB is a foundational vector database widely deployed in RAG pipelines, AI agent backends, and LLM applications, meaning a compromised instance exposes all stored embeddings, raw document chunks, and whatever host-level access the process holds, with a realistic pivot path into connected ML infrastructure. No CVSS score or EPSS percentile is available yet given the same-day publication, but the pre-authentication, zero-click exploitation path is functionally equivalent to a CVSS 9.8 — the trust_remote_code attack class is well-understood by AI-aware threat actors following prior HuggingFace and PyTorch Hub exploitation patterns. Immediately isolate ChromaDB API endpoints (default port 8000) behind authenticated proxies or firewall rules, block any public exposure, and monitor for unexpected child processes or outbound connections from the ChromaDB service.

Sources: NVD GitHub Advisory ATLAS hiddenlayer.com

What is the risk?

CRITICAL in practice despite the absent CVSS score. Pre-authentication code injection requires no credentials, no user interaction, and no prior foothold — any attacker with network reach to the ChromaDB API achieves full server compromise. The attack surface is broad: ChromaDB is routinely deployed without authentication in internal networks and development environments, relying on network perimeter as the sole control. The trust_remote_code=True pattern in ML frameworks has a well-documented exploitation history (HuggingFace Transformers, PyTorch Hub, Pickle-based loaders), making this attack class immediately accessible to AI-aware adversaries without novel research. Blast radius is highest for organizations running ChromaDB on cloud instances with API exposed to the internet or in Kubernetes clusters lacking network segmentation between AI workloads.

Attack Kill Chain

Initial Access

Attacker sends an unauthenticated POST request to the ChromaDB /api/v2/tenants/{tenant}/databases/{db}/collections endpoint, requiring no credentials or prior foothold.

AML.T0049

Malicious Artifact Delivery

The request body includes a reference to an attacker-controlled model repository with trust_remote_code=True, causing ChromaDB to fetch and stage the adversary's code as part of collection setup.

AML.T0011.000

Code Execution

ChromaDB executes the adversary's repository code in the server process context, achieving arbitrary command execution with the privileges of the ChromaDB service account.

AML.T0050

Impact

Attacker exfiltrates the full vector store (embeddings, document chunks, stored credentials), establishes a reverse shell for persistent access, and optionally poisons vectors to corrupt RAG retrieval for downstream LLM consumers.

AML.T0072

Initial Access

Attacker sends an unauthenticated POST request to the ChromaDB /api/v2/tenants/{tenant}/databases/{db}/collections endpoint, requiring no credentials or prior foothold.

AML.T0049

Malicious Artifact Delivery

The request body includes a reference to an attacker-controlled model repository with trust_remote_code=True, causing ChromaDB to fetch and stage the adversary's code as part of collection setup.

AML.T0011.000

Code Execution

ChromaDB executes the adversary's repository code in the server process context, achieving arbitrary command execution with the privileges of the ChromaDB service account.

AML.T0050

Impact

Attacker exfiltrates the full vector store (embeddings, document chunks, stored credentials), establishes a reverse shell for persistent access, and optionally poisons vectors to corrupt RAG retrieval for downstream LLM consumers.

AML.T0072

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
chromadb	pip	—	No patch
28.0K OpenSSF 5.1 1.1K dependents Pushed 4d ago 0% patched Full package profile →

Do you use chromadb? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.1%

chance of exploitation in 30 days

Higher than 34% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

IMMEDIATE

Block unauthenticated access to ChromaDB API (default port 8000) via firewall rules, cloud security groups, or Kubernetes NetworkPolicy — treat any internet-exposed instance as compromised.
PATCH

Monitor github.com/chroma-core/chroma and the chromadb PyPI package for a patched release; upgrade as soon as available and verify the fix addresses the trust_remote_code code path.
PROXY

Deploy an authenticated reverse proxy (nginx + OAuth2 proxy, or equivalent) in front of ChromaDB if direct network isolation is not feasible.
DETECT

Alert on unexpected child process spawning from the ChromaDB process (bash, sh, curl, wget, python subprocesses), anomalous outbound TCP connections, and unusual volume of collection-creation API calls in access logs.
CONTAINER

Ensure ChromaDB is not running on host network mode; apply seccomp/AppArmor profiles and drop unnecessary capabilities to limit post-exploitation damage.
AUDIT

Use asset inventory to enumerate all ChromaDB instances running ≥1.0.0 with API reachable from untrusted networks; treat each as a potential incident pending patch.

Classification

Code Execution Auth Bypass Supply Chain RAG Framework Agent AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain responsible AI practices

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-45829?

ChromaDB versions ≥1.0.0 contain a pre-authentication remote code execution flaw in the collection creation API endpoint that allows any unauthenticated network attacker to execute arbitrary code on the server by submitting a crafted malicious model repository with trust_remote_code set to true — no credentials, no user interaction required. ChromaDB is a foundational vector database widely deployed in RAG pipelines, AI agent backends, and LLM applications, meaning a compromised instance exposes all stored embeddings, raw document chunks, and whatever host-level access the process holds, with a realistic pivot path into connected ML infrastructure. No CVSS score or EPSS percentile is available yet given the same-day publication, but the pre-authentication, zero-click exploitation path is functionally equivalent to a CVSS 9.8 — the trust_remote_code attack class is well-understood by AI-aware threat actors following prior HuggingFace and PyTorch Hub exploitation patterns. Immediately isolate ChromaDB API endpoints (default port 8000) behind authenticated proxies or firewall rules, block any public exposure, and monitor for unexpected child processes or outbound connections from the ChromaDB service.

Is CVE-2026-45829 actively exploited?

No confirmed active exploitation of CVE-2026-45829 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45829?

1. IMMEDIATE: Block unauthenticated access to ChromaDB API (default port 8000) via firewall rules, cloud security groups, or Kubernetes NetworkPolicy — treat any internet-exposed instance as compromised. 2. PATCH: Monitor github.com/chroma-core/chroma and the chromadb PyPI package for a patched release; upgrade as soon as available and verify the fix addresses the trust_remote_code code path. 3. PROXY: Deploy an authenticated reverse proxy (nginx + OAuth2 proxy, or equivalent) in front of ChromaDB if direct network isolation is not feasible. 4. DETECT: Alert on unexpected child process spawning from the ChromaDB process (bash, sh, curl, wget, python subprocesses), anomalous outbound TCP connections, and unusual volume of collection-creation API calls in access logs. 5. CONTAINER: Ensure ChromaDB is not running on host network mode; apply seccomp/AppArmor profiles and drop unnecessary capabilities to limit post-exploitation damage. 6. AUDIT: Use asset inventory to enumerate all ChromaDB instances running ≥1.0.0 with API reachable from untrusted networks; treat each as a potential incident pending patch.

What systems are affected by CVE-2026-45829?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, Vector databases, AI agent frameworks, LLM application backends, Model serving infrastructure.

What is the CVSS score for CVE-2026-45829?

No CVSS score has been assigned yet.

Technical Details

NVD Description

A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.

Exploitation Scenario

An attacker identifies a target organization running ChromaDB ≥1.0.0 — via Shodan fingerprinting on port 8000, through leaked infrastructure documentation, or knowledge of the target's AI stack from job postings. Without any credentials, the attacker crafts a POST request to /api/v2/tenants/default_tenant/databases/default_database/collections containing a payload that references an attacker-controlled GitHub repository hosting malicious Python code and sets trust_remote_code=True in the request body. ChromaDB processes the collection creation request, fetches the adversary's repository, and executes the embedded code in the server process context. The payload establishes a reverse shell to attacker-controlled C2 infrastructure. From this foothold the attacker dumps the entire vector store (embeddings, source text chunks, metadata), harvests API keys and cloud credentials from environment variables, and optionally poisons the vector database with adversarial embeddings designed to manipulate RAG retrieval for downstream LLM users — turning the vector database breach into an ongoing supply chain attack on the application layer.