CVE-2026-45829: ChromaDB: pre-auth RCE via trust_remote_code injection
GHSA-f4j7-r4q5-qw2c CRITICAL CISA: ATTENDChromaDB versions ≥1.0.0 contain a pre-authentication remote code execution flaw in the collection creation API endpoint that allows any unauthenticated network attacker to execute arbitrary code on the server by submitting a crafted malicious model repository with trust_remote_code set to true — no credentials, no user interaction required. ChromaDB is a foundational vector database widely deployed in RAG pipelines, AI agent backends, and LLM applications, meaning a compromised instance exposes all stored embeddings, raw document chunks, and whatever host-level access the process holds, with a realistic pivot path into connected ML infrastructure. No CVSS score or EPSS percentile is available yet given the same-day publication, but the pre-authentication, zero-click exploitation path is functionally equivalent to a CVSS 9.8 — the trust_remote_code attack class is well-understood by AI-aware threat actors following prior HuggingFace and PyTorch Hub exploitation patterns. Immediately isolate ChromaDB API endpoints (default port 8000) behind authenticated proxies or firewall rules, block any public exposure, and monitor for unexpected child processes or outbound connections from the ChromaDB service.
What is the risk?
CRITICAL in practice despite the absent CVSS score. Pre-authentication code injection requires no credentials, no user interaction, and no prior foothold — any attacker with network reach to the ChromaDB API achieves full server compromise. The attack surface is broad: ChromaDB is routinely deployed without authentication in internal networks and development environments, relying on network perimeter as the sole control. The trust_remote_code=True pattern in ML frameworks has a well-documented exploitation history (HuggingFace Transformers, PyTorch Hub, Pickle-based loaders), making this attack class immediately accessible to AI-aware adversaries without novel research. Blast radius is highest for organizations running ChromaDB on cloud instances with API exposed to the internet or in Kubernetes clusters lacking network segmentation between AI workloads.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| ChromaDB | pip | >= 1.0.0, <= 1.5.9 | No patch |
Do you use ChromaDB? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
IMMEDIATE
Block unauthenticated access to ChromaDB API (default port 8000) via firewall rules, cloud security groups, or Kubernetes NetworkPolicy — treat any internet-exposed instance as compromised.
-
PATCH
Monitor github.com/chroma-core/chroma and the chromadb PyPI package for a patched release; upgrade as soon as available and verify the fix addresses the trust_remote_code code path.
-
PROXY
Deploy an authenticated reverse proxy (nginx + OAuth2 proxy, or equivalent) in front of ChromaDB if direct network isolation is not feasible.
-
DETECT
Alert on unexpected child process spawning from the ChromaDB process (bash, sh, curl, wget, python subprocesses), anomalous outbound TCP connections, and unusual volume of collection-creation API calls in access logs.
-
CONTAINER
Ensure ChromaDB is not running on host network mode; apply seccomp/AppArmor profiles and drop unnecessary capabilities to limit post-exploitation damage.
-
AUDIT
Use asset inventory to enumerate all ChromaDB instances running ≥1.0.0 with API reachable from untrusted networks; treat each as a potential incident pending patch.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-45829?
ChromaDB versions ≥1.0.0 contain a pre-authentication remote code execution flaw in the collection creation API endpoint that allows any unauthenticated network attacker to execute arbitrary code on the server by submitting a crafted malicious model repository with trust_remote_code set to true — no credentials, no user interaction required. ChromaDB is a foundational vector database widely deployed in RAG pipelines, AI agent backends, and LLM applications, meaning a compromised instance exposes all stored embeddings, raw document chunks, and whatever host-level access the process holds, with a realistic pivot path into connected ML infrastructure. No CVSS score or EPSS percentile is available yet given the same-day publication, but the pre-authentication, zero-click exploitation path is functionally equivalent to a CVSS 9.8 — the trust_remote_code attack class is well-understood by AI-aware threat actors following prior HuggingFace and PyTorch Hub exploitation patterns. Immediately isolate ChromaDB API endpoints (default port 8000) behind authenticated proxies or firewall rules, block any public exposure, and monitor for unexpected child processes or outbound connections from the ChromaDB service.
Is CVE-2026-45829 actively exploited?
No confirmed active exploitation of CVE-2026-45829 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-45829?
1. IMMEDIATE: Block unauthenticated access to ChromaDB API (default port 8000) via firewall rules, cloud security groups, or Kubernetes NetworkPolicy — treat any internet-exposed instance as compromised. 2. PATCH: Monitor github.com/chroma-core/chroma and the chromadb PyPI package for a patched release; upgrade as soon as available and verify the fix addresses the trust_remote_code code path. 3. PROXY: Deploy an authenticated reverse proxy (nginx + OAuth2 proxy, or equivalent) in front of ChromaDB if direct network isolation is not feasible. 4. DETECT: Alert on unexpected child process spawning from the ChromaDB process (bash, sh, curl, wget, python subprocesses), anomalous outbound TCP connections, and unusual volume of collection-creation API calls in access logs. 5. CONTAINER: Ensure ChromaDB is not running on host network mode; apply seccomp/AppArmor profiles and drop unnecessary capabilities to limit post-exploitation damage. 6. AUDIT: Use asset inventory to enumerate all ChromaDB instances running ≥1.0.0 with API reachable from untrusted networks; treat each as a potential incident pending patch.
What systems are affected by CVE-2026-45829?
This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, Vector databases, AI agent frameworks, LLM application backends, Model serving infrastructure.
What is the CVSS score for CVE-2026-45829?
CVE-2026-45829 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 12.39%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.003 Model AML.T0011.000 Unsafe AI Artifacts AML.T0018.002 Embed Malware AML.T0049 Exploit Public-Facing Application AML.T0050 Command and Scripting Interpreter AML.T0072 Reverse Shell Compliance Controls Affected
What are the technical details?
Original Advisory
A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.
Exploitation Scenario
An attacker identifies a target organization running ChromaDB ≥1.0.0 — via Shodan fingerprinting on port 8000, through leaked infrastructure documentation, or knowledge of the target's AI stack from job postings. Without any credentials, the attacker crafts a POST request to /api/v2/tenants/default_tenant/databases/default_database/collections containing a payload that references an attacker-controlled GitHub repository hosting malicious Python code and sets trust_remote_code=True in the request body. ChromaDB processes the collection creation request, fetches the adversary's repository, and executes the embedded code in the server process context. The payload establishes a reverse shell to attacker-controlled C2 infrastructure. From this foothold the attacker dumps the entire vector store (embeddings, source text chunks, metadata), harvests API keys and cloud credentials from environment variables, and optionally poisons the vector database with adversarial embeddings designed to manipulate RAG retrieval for downstream LLM users — turning the vector database breach into an ongoing supply chain attack on the application layer.
Weaknesses (CWE)
CWE-94 Improper Control of Generation of Code ('Code Injection')
Primary
CWE-94 Improper Control of Generation of Code ('Code Injection') CWE-94 Improper Control of Generation of Code ('Code Injection') CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
- [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-45832 8.8 ChromaDB: V1 auth bypass exposes all tenant collections
Same package: chromadb CVE-2026-45833 8.8 ChromaDB: RCE via trust_remote_code in collection update
Same package: chromadb CVE-2026-45830 8.8 ChromaDB: auth bypass exposes any tenant's collections
Same package: chromadb CVE-2026-45831 8.8 ChromaDB: RBAC bypass enables cross-tenant data access
Same package: chromadb CVE-2026-8828 ChromaDB: tenant isolation bypass exposes all tenant data
Same package: chromadb