CVE-2026-45829: ChromaDB: pre-auth RCE via trust_remote_code injection

GHSA-f4j7-r4q5-qw2c CRITICAL CISA: ATTEND
Published May 18, 2026
CISO Take

ChromaDB versions ≥1.0.0 contain a pre-authentication remote code execution flaw in the collection creation API endpoint that allows any unauthenticated network attacker to execute arbitrary code on the server by submitting a crafted malicious model repository with trust_remote_code set to true — no credentials, no user interaction required. ChromaDB is a foundational vector database widely deployed in RAG pipelines, AI agent backends, and LLM applications, meaning a compromised instance exposes all stored embeddings, raw document chunks, and whatever host-level access the process holds, with a realistic pivot path into connected ML infrastructure. No CVSS score or EPSS percentile is available yet given the same-day publication, but the pre-authentication, zero-click exploitation path is functionally equivalent to a CVSS 9.8 — the trust_remote_code attack class is well-understood by AI-aware threat actors following prior HuggingFace and PyTorch Hub exploitation patterns. Immediately isolate ChromaDB API endpoints (default port 8000) behind authenticated proxies or firewall rules, block any public exposure, and monitor for unexpected child processes or outbound connections from the ChromaDB service.

Sources: NVD GitHub Advisory ATLAS hiddenlayer.com

What is the risk?

CRITICAL in practice despite the absent CVSS score. Pre-authentication code injection requires no credentials, no user interaction, and no prior foothold — any attacker with network reach to the ChromaDB API achieves full server compromise. The attack surface is broad: ChromaDB is routinely deployed without authentication in internal networks and development environments, relying on network perimeter as the sole control. The trust_remote_code=True pattern in ML frameworks has a well-documented exploitation history (HuggingFace Transformers, PyTorch Hub, Pickle-based loaders), making this attack class immediately accessible to AI-aware adversaries without novel research. Blast radius is highest for organizations running ChromaDB on cloud instances with API exposed to the internet or in Kubernetes clusters lacking network segmentation between AI workloads.

How does the attack unfold?

Initial Access
Attacker sends an unauthenticated POST request to the ChromaDB /api/v2/tenants/{tenant}/databases/{db}/collections endpoint, requiring no credentials or prior foothold.
AML.T0049
Malicious Artifact Delivery
The request body includes a reference to an attacker-controlled model repository with trust_remote_code=True, causing ChromaDB to fetch and stage the adversary's code as part of collection setup.
AML.T0011.000
Code Execution
ChromaDB executes the adversary's repository code in the server process context, achieving arbitrary command execution with the privileges of the ChromaDB service account.
AML.T0050
Impact
Attacker exfiltrates the full vector store (embeddings, document chunks, stored credentials), establishes a reverse shell for persistent access, and optionally poisons vectors to corrupt RAG retrieval for downstream LLM consumers.
AML.T0072

What systems are affected?

Package Ecosystem Vulnerable Range Patched
ChromaDB pip >= 1.0.0, <= 1.5.9 No patch
28.6K OpenSSF 5.0 1.2K dependents Pushed 6d ago 0% patched Full package profile →

Do you use ChromaDB? You're affected.

How severe is it?

CVSS 3.1
10.0 / 10
EPSS
12.4%
chance of exploitation in 30 days
Higher than 96% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
EPSS exploit prediction: 12%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I High
A High

What should I do?

6 steps
  1. IMMEDIATE

    Block unauthenticated access to ChromaDB API (default port 8000) via firewall rules, cloud security groups, or Kubernetes NetworkPolicy — treat any internet-exposed instance as compromised.

  2. PATCH

    Monitor github.com/chroma-core/chroma and the chromadb PyPI package for a patched release; upgrade as soon as available and verify the fix addresses the trust_remote_code code path.

  3. PROXY

    Deploy an authenticated reverse proxy (nginx + OAuth2 proxy, or equivalent) in front of ChromaDB if direct network isolation is not feasible.

  4. DETECT

    Alert on unexpected child process spawning from the ChromaDB process (bash, sh, curl, wget, python subprocesses), anomalous outbound TCP connections, and unusual volume of collection-creation API calls in access logs.

  5. CONTAINER

    Ensure ChromaDB is not running on host network mode; apply seccomp/AppArmor profiles and drop unnecessary capabilities to limit post-exploitation damage.

  6. AUDIT

    Use asset inventory to enumerate all ChromaDB instances running ≥1.0.0 with API reachable from untrusted networks; treat each as a potential incident pending patch.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.2.6 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain responsible AI practices
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-45829?

ChromaDB versions ≥1.0.0 contain a pre-authentication remote code execution flaw in the collection creation API endpoint that allows any unauthenticated network attacker to execute arbitrary code on the server by submitting a crafted malicious model repository with trust_remote_code set to true — no credentials, no user interaction required. ChromaDB is a foundational vector database widely deployed in RAG pipelines, AI agent backends, and LLM applications, meaning a compromised instance exposes all stored embeddings, raw document chunks, and whatever host-level access the process holds, with a realistic pivot path into connected ML infrastructure. No CVSS score or EPSS percentile is available yet given the same-day publication, but the pre-authentication, zero-click exploitation path is functionally equivalent to a CVSS 9.8 — the trust_remote_code attack class is well-understood by AI-aware threat actors following prior HuggingFace and PyTorch Hub exploitation patterns. Immediately isolate ChromaDB API endpoints (default port 8000) behind authenticated proxies or firewall rules, block any public exposure, and monitor for unexpected child processes or outbound connections from the ChromaDB service.

Is CVE-2026-45829 actively exploited?

No confirmed active exploitation of CVE-2026-45829 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-45829?

1. IMMEDIATE: Block unauthenticated access to ChromaDB API (default port 8000) via firewall rules, cloud security groups, or Kubernetes NetworkPolicy — treat any internet-exposed instance as compromised. 2. PATCH: Monitor github.com/chroma-core/chroma and the chromadb PyPI package for a patched release; upgrade as soon as available and verify the fix addresses the trust_remote_code code path. 3. PROXY: Deploy an authenticated reverse proxy (nginx + OAuth2 proxy, or equivalent) in front of ChromaDB if direct network isolation is not feasible. 4. DETECT: Alert on unexpected child process spawning from the ChromaDB process (bash, sh, curl, wget, python subprocesses), anomalous outbound TCP connections, and unusual volume of collection-creation API calls in access logs. 5. CONTAINER: Ensure ChromaDB is not running on host network mode; apply seccomp/AppArmor profiles and drop unnecessary capabilities to limit post-exploitation damage. 6. AUDIT: Use asset inventory to enumerate all ChromaDB instances running ≥1.0.0 with API reachable from untrusted networks; treat each as a potential incident pending patch.

What systems are affected by CVE-2026-45829?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, Vector databases, AI agent frameworks, LLM application backends, Model serving infrastructure.

What is the CVSS score for CVE-2026-45829?

CVE-2026-45829 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 12.39%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesVector databasesAI agent frameworksLLM application backendsModel serving infrastructure

MITRE ATLAS Techniques

AML.T0010.003 Model
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.

Exploitation Scenario

An attacker identifies a target organization running ChromaDB ≥1.0.0 — via Shodan fingerprinting on port 8000, through leaked infrastructure documentation, or knowledge of the target's AI stack from job postings. Without any credentials, the attacker crafts a POST request to /api/v2/tenants/default_tenant/databases/default_database/collections containing a payload that references an attacker-controlled GitHub repository hosting malicious Python code and sets trust_remote_code=True in the request body. ChromaDB processes the collection creation request, fetches the adversary's repository, and executes the embedded code in the server process context. The payload establishes a reverse shell to attacker-controlled C2 infrastructure. From this foothold the attacker dumps the entire vector store (embeddings, source text chunks, metadata), harvests API keys and cloud credentials from environment variables, and optionally poisons the vector database with adversarial embeddings designed to manipulate RAG retrieval for downstream LLM users — turning the vector database breach into an ongoing supply chain attack on the application layer.

Weaknesses (CWE)

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Timeline

Published
May 18, 2026
Last Modified
June 29, 2026
First Seen
May 18, 2026

Related Vulnerabilities