Skip to main content
Mallory
Back to vulnerabilities
Critical1 public exploit

Pre-auth RCE in ChromaDB Python FastAPI collection creation endpoint

CVE-2026-45829CWE-94· Improper Control of Generation of…

CVE-2026-45829 is a pre-authentication code injection / remote code execution vulnerability in the Python FastAPI implementation of ChromaDB, affecting version 1.0.0 or later and reported as present through 1.5.8. The flaw is in the collection creation API path, including /api/v2/tenants/{tenant}/databases/{db}/collections, where attacker-controlled embedding function configuration is processed before authentication is enforced. An unauthenticated attacker can submit a crafted request that specifies an attacker-controlled Hugging Face model repository and sets trust_remote_code=true. ChromaDB then loads the model and executes remote Python code from that repository before the authentication check completes. The root cause is that client-supplied model-loading parameters are forwarded into embedding/model loading logic prior to auth validation, enabling arbitrary code execution in the ChromaDB server process.

Share:
Stay ahead

Get ahead of vulnerabilities like this

Mallory continuously monitors global threat intelligence and correlates it with your attack surface — so you know if you’re exposed before adversaries strike.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. For analysts and engineers who need to decide and keep moving.

Impact

What an attacker gets — and what they’ve been doing with it.

Successful exploitation yields unauthenticated arbitrary code execution in the ChromaDB server process. An attacker can gain control of the process context, access environment variables, API keys, mounted secrets, and data accessible on disk to the service, including stored vector database content. Depending on deployment, this can enable full compromise of the application host, data theft, service disruption, persistence, and lateral movement into connected systems or cloud resources reachable from the ChromaDB runtime.

Mitigation

If you can’t patch tonight, do this now.

Do not expose the Python FastAPI ChromaDB service to the public internet. Restrict network access to the API port to trusted clients only. Prefer the Rust frontend or official Docker images where applicable, as the provided content states this specific FastAPI issue does not affect the Rust-based deployment. Treat external model references as untrusted code, avoid enabling trust_remote_code for untrusted sources, and scan ML model artifacts before runtime. If possible, isolate the ChromaDB service with least-privilege credentials and minimal access to secrets and sensitive storage.

Remediation

Patch, then assume compromise.

Upgrade to a vendor-fixed release once a version explicitly confirmed to remediate CVE-2026-45829 is available. The provided content states the issue affects 1.0.0 or later and was present through 1.5.8; it is unclear from the available information whether 1.5.9 fully fixes the vulnerability. Review upstream ChromaDB security guidance and changelogs, and validate that any deployed version enforces authentication before processing embedding/model configuration and disallows unsafe remote model code execution paths for untrusted requests.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView all
FULL-ANALYSIS---CVE-2026-45829-ChromaDB-MaturityPoCVerified exploit

Repository contains a functional Python proof-of-concept exploit for CVE-2026-45829 targeting ChromaDB Python deployments. The main script, cve_2026_45829_poc.py, checks the target version via /api/v2/version and then sends a POST request to /api/v2/tenants/{tenant}/databases/{database}/collections with crafted metadata that specifies a Hugging Face embedding model and sets trust_remote_code=true. The intended effect is to make the target fetch and execute attacker-controlled Python code from a remote model repository before authentication is enforced, yielding pre-auth RCE. The exploit treats HTTP 500 as a likely success condition because model loading may already have occurred even if auth later fails. The repository also includes a separate safe detection script that only checks the version endpoint, a simple Python reverse-shell listener binding to 0.0.0.0:4444 for post-exploitation interaction, and short text files for execution instructions, mitigation guidance, and references. Overall purpose: demonstrate and operationalize unauthenticated remote code execution against vulnerable ChromaDB versions 1.0.0 through 1.5.8 by abusing remote model loading from Hugging Face.

fevar54Disclosed May 20, 2026pythonmarkdownwebnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
ChromaChromadbapplication

Vendor-confirmed product mapping. Mallory continuously reconciles against your asset inventory in the product.

ACTIVITY FEED

Recent activity

18 sources tracked across advisories, community write-ups, and news. Mallory keeps watching after this page renders.

18 SOURCESView all
scworldNews
May 20, 2026
Max-severity vulnerability in ChromaDB allows unauthenticated remote code execution | brief | SC Media

A critical unauthenticated remote code execution vulnerability in the Python FastAPI version of ChromaDB that allows attackers to trigger loading and execution of a malicious model before authentication is enforced.

Read more
thecyberexpress com vulnerabilitiesNews
May 20, 2026
CVE-2026-45829: ChromaDB FastAPI ChromaToast RCE Exploit Now

An unauthenticated remote code execution vulnerability in the ChromaDB FastAPI server caused by processing user-controlled embedding function configuration before authentication, allowing attacker-controlled HuggingFace model loading with trust_remote_code enabled.

Read more
bleeping computerNews
May 19, 2026
Max-severity flaw in ChromaDB for AI apps allows server hijacking

A maximum-severity unauthenticated remote code execution vulnerability in the Python FastAPI server component of ChromaDB, caused by model settings being processed before authentication checks, allowing attackers to load and execute a malicious Hugging Face model.

Read more
cvefeed high severityNews
May 18, 2026
CVE-2026-45829 - ChromaDB Remote Code Injection Vulnerability

A pre-authentication code injection vulnerability in ChromaDB Python project version 1.0.0 or later that can allow unauthenticated remote arbitrary code execution on the server via a malicious model repository when trust_remote_code is set to true.

Read more
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules — auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity14

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
NVD
nvd.nist.gov/vuln/detail/CVE-2026-45829
github.com
github.com/chroma-core/chroma/issues/6717
hiddenlayer.com
hiddenlayer.com/research/chromatoast-served-pre-auth