ChromaDB pre-auth remote code execution in Python FastAPI server (CVE-2026-45829)

Severity Assessment

• Exploitability: 7/10 — The endpoint accepts attacker-controlled model identifiers and executes retrieval and load logic before finishing auth checks.
• Impact: 9/10 — Full process access can expose environment variables, mounted secrets, and data stored on server disk.
• Weaponization Risk: 8/10 — Publicly described PoC flow allows direct abuse by unauthenticated HTTP requests.
• Patch Urgency: 8/10 — HiddenLayer states the issue is unpatched through version 1.5.8, which increases urgency for mitigation.
• Detection Coverage: 5/10 — Detection relies on endpoint behavior changes and environment-level monitoring rather than a single deterministic control.

Summary

CVE-2026-45829 is a pre-authentication remote code execution flaw in the ChromaDB Python FastAPI server. HiddenLayer reports that the server loads a user-provided embedding model and executes model-supplied code before completing authentication checks on the create_collection flow.

The issue affects ChromaDB Python deployments where the API is reachable from unauthenticated networks. HiddenLayer documents exploitation attempts using a controlled Hugging Face model reference with trust_remote_code: true, resulting in code execution in the server process. The same behavior is reflected in the CSA research note and NVD entry for this CVE.

Current references indicate affected versions from 1.0.0 through 1.5.8, with no confirmed patched release in the same set of versions. The vulnerability is considered active until a fix is published and the attack path is removed through deployment hardening.

Exploit Chain

Stage 1: Unauthenticated request to collection creation

An attacker sends a POST request to the collection creation endpoint on a ChromaDB instance that exposes the Python FastAPI path.

Stage 2: Malicious embedding function supplied

The request includes attacker-chosen embedding configuration values and a Hugging Face model reference configured with trust_remote_code: true.

Stage 3: Remote code load and execution path

ChromaDB loads and executes remote code from the model source before access controls fully block unauthorized users.

Stage 4: Process compromise and host impact

Once code runs, attacker-controlled commands can inherit the privileges available to the ChromaDB process, allowing broad access to local server context.

Detection Guidance

1. Audit incoming traffic to create_collection and similar tenant/database collection creation routes for unauthenticated calls.
2. Track process behavior for unusual module downloads and runtime model loading activity.
3. Enforce strict allowlists for trusted clients and networks where FastAPI endpoints are exposed.
4. Block or monitor trust_remote_code: true style model loading in any public-facing path.
5. Segment ChromaDB infrastructure so only approved hosts can reach deployment APIs.

Indicators of Compromise

• Unexpected outbound model download activity from ChromaDB nodes to public model hubs.
• Unauthorized creation of collections with unusual embedding configuration payloads.
• Sudden shell-like process activity on the ChromaDB host.
• Access of sensitive environment variables from unexpected model-loading tasks.

Disclosure Timeline

2026-05-18 — Security research release

HiddenLayer publishes a research note describing pre-authenticated create_collection execution behavior and payload execution details.

2026-05-19 — CVE entry published/updated

NVD records and references CVE-2026-45829, including weakness context and links to related source coverage.

2026-05-20 — CSA research follow-up

Cloud Security Alliance publishes a research note aligning remediation priorities and operational containment guidance for exposed ChromaDB instances.

Sources & References

• HiddenLayer: ChromaToast Served Pre-Auth — HiddenLayer, 2026-05-18
• National Vulnerability Database: CVE-2026-45829 — National Vulnerability Database, 2026-05-19
• Cloud Security Alliance: ChromaToast: Unauthenticated RCE in AI Vector Databases – Lab Space — Cloud Security Alliance, 2026-05-20