Critical Authentication Bypass Vulnerability in ChromaDB Allows Remote Code Execution
Key Takeaways
- ▸CVE-2026-45829, a max-severity vulnerability in ChromaDB, allows unauthenticated remote code execution by exploiting a misplaced authentication check that happens after model loading
- ▸Attackers can force ChromaDB to load and execute malicious models from Hugging Face before authentication is verified, making the subsequent server rejection irrelevant
- ▸Approximately 73% of internet-exposed ChromaDB instances are running vulnerable versions
Summary
A maximum-severity vulnerability (CVE-2026-45829) has been discovered in ChromaDB, an open-source vector database widely used in AI and agentic AI applications. The flaw, identified by security researchers at HiddenLayer, allows unauthenticated attackers to execute arbitrary code on exposed servers by exploiting an authentication check that occurs after model execution rather than before.
The vulnerability affects the Python FastAPI version of ChromaDB, particularly the PyPI package which has nearly 14 million monthly downloads. An attacker can send a crafted request to force ChromaDB to load a malicious model from Hugging Face and execute it locally, with the authentication check firing only after the payload has already run. The flaw was introduced in version 1.0.0 and remained unpatched through version 1.5.8.
According to Shodan searches, approximately 73% of internet-exposed ChromaDB instances are running vulnerable versions. While maintainers released version 1.5.9 two weeks ago, the status of whether this patch addresses the vulnerability remains unclear due to limited communication from the development team. Users are advised to either switch to the Rust frontend, avoid exposing the Python API server publicly, or restrict network access to the API port until the patch is confirmed.
- Mitigation options include using the Rust frontend, restricting network access to the API port, or keeping the Python server offline until the patch is confirmed effective
