Code Injection Flaw in ChromaDB Python Project by Chroma Core
CVE-2026-45829

10CRITICAL

Key Information:

Vendor: Chroma
Status: Chromadb
Vendor: CVE Published:; 18 May 2026

Badges

📈 Score: 568👾 Exploit Exists📰 News Worthy

What is CVE-2026-45829?

CVE-2026-45829 is a serious vulnerability identified in the ChromaDB Python project, specifically within its version 1.0.0 and later releases. This vulnerability manifests as a pre-authentication code injection flaw that allows unauthenticated attackers to execute arbitrary code on the server. The risk stems from the ability to send a malicious model repository through a specific API endpoint while the trust_remote_code setting is enabled. ChromaDB is designed for managing databases efficiently, and the essence of this vulnerability poses significant risks, as it can grant unauthorized access and control to attackers over critical systems and data.

Potential impact of CVE-2026-45829

Arbitrary Code Execution: Attackers can exploit this vulnerability to execute any code of their choosing on the server, which may lead to complete system compromise or manipulation of sensitive data.
Data Breaches: Given the ability to run arbitrary code, attackers could gain access to confidential information stored within the database, potentially resulting in significant data breaches and loss of sensitive information.
System Integrity and Availability Risks: The exploitation of this vulnerability can undermine the integrity of the entire system, leading to unauthorized modifications, data corruption, or service disruptions, which can affect business operations significantly.

Affected Version(s)

ChromaDB 1.0.0

News Articles

BleepingComputer

CVE-2026-45829

Max-severity flaw in ChromaDB for AI apps allows server hijacking

A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers.

3 weeks ago