A max-severity vulnerability in the newest Python FastAPI model of the ChromaDB mission lets in unauthenticated attackers to run arbitrary code on uncovered servers.
The flaw is tracked as CVE-2026-45829 and used to be reported to ChromaDB on February 17. It gained the utmost severity ranking from HiddenLayer, the corporate that found out it.
ChromaDB is an open-source vector database and AI retrieval backend utilized in agentic AI and similar programs. It allows retrieving semantically related paperwork all through large-language fashion (LLM) inference.
The flaw impacts the codebase containing the susceptible Python API server good judgment, so the PyPI bundle, which has just about 14 million per thirty days downloads, is in peril when servers are obtainable over HTTP.
Customers who deploy it in the neighborhood with out exposing the API server on-line at the side of the ones the usage of the Rust front-end, aren’t suffering from CVE-2026-45829.
In step with HiddenLayer, a susceptible API endpoint marked as authenticated lets in attackers to embed fashion settings ahead of authentication is checked.
An attacker can ship a crafted request to pressure ChromaDB to load a malicious fashion from the Hugging Face platform and execute it in the neighborhood. The authentication test is most effective carried out after that step, bypassing safety.
“The authentication isn’t lacking, [it’s] simply within the incorrect position,” explains HiddenLayer.
“By the point it fires, the fashion has already been fetched and finished. The server rejects the request, returns a 500, and the attacker’s payload has already run.”
Publicity and mitigation
The researchers file that the flaw used to be offered in ChromaDB 1.0.0 and used to be unpatched in model 1.5.8. Two weeks in the past, the maintainer launched model 1.5.9. Then again, it stays unclear if the protection factor has been fastened.
Since February 17, HiddenLayer researchers have tried to touch the developer a couple of occasions over e-mail and social media, however gained no answer.
BleepingComputer contacted the Chroma staff in regards to the standing of CVE-2026-45829 however had now not gained a reaction by the point of e-newsletter. We will be able to replace this newsletter if further main points grow to be to be had.
In step with their queries on Shodan, more or less 73% of the internet-exposed cases are working a susceptible model of Chroma.
Till it turns into transparent that CVE-2026-45829 has been patched, the advice for impacted customers is to pick out the Rust frontend for his or her deployments or steer clear of exposing the Python server publicly. Any other mitigation is to limit community get right of entry to to the ChromaDB API port.
The researchers additionally counsel scanning ML fashion artifacts ahead of runtime as a result of loading public fashions with ‘trust_remote_code’ successfully way executing untrusted code.
Automatic pentesting gear ship actual price, however they have been constructed to reply to one query: can an attacker transfer throughout the community? They weren’t constructed to check whether or not your controls block threats, your detection laws fireplace, or your cloud configs dangle.
This information covers the 6 surfaces you in fact wish to validate.
Obtain Now
