Full Report
A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers. [...]
Analysis Summary
# Vulnerability: Pre-Authentication Remote Code Execution in ChromaDB
## CVE Details
- CVE ID: CVE-2026-45829
- CVSS Score: 10.0 (Critical)
- CWE: CWE-287 (Improper Authentication) / CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- Products: ChromaDB (Python-based FastAPI implementation)
- Versions: Versions 1.0.0 through 1.5.8 (Note: Status of 1.5.9 is currently unverified)
- Configurations: Systems running the Python API server accessible over HTTP.
## Vulnerability Description
The flaw exists due to an incorrect ordering of operations within the FastAPI server logic. A specific API endpoint allows users to specify model settings, including remote models to be loaded. The server processes these settings—causing it to fetch and execute model code (often from external sources like Hugging Face)—before the authentication middleware validates the request. Because the server frequently uses `trust_remote_code=True` when loading models, an attacker can provide a path to a malicious model that executes arbitrary code upon being initialized.
## Exploitation
- Status: PoC available (HiddenLayer research); no confirmed reports of exploitation in the wild at this time.
- Complexity: Low
- Attack Vector: Network (Unauthenticated)
## Impact
- Confidentiality: Critical (Full access to server data and environment variables)
- Integrity: Critical (Ability to modify databases, system files, and model outputs)
- Availability: Critical (Potential for total system takeover or service disruption)
## Remediation
### Patches
- As of the latest report, it is unclear if version 1.5.9 fully addresses the flaw. Users are advised to monitor the official GitHub repository for security-specific releases.
### Workarounds
- **Migrate Frontend:** Transition to the Rust-based frontend for deployments, as it is not affected by this specific Python API logic flaw.
- **Network Restriction:** Restrict access to the ChromaDB API port (default 8000) using firewalls or VPNs; do not expose the API to the public internet.
- **Local Deployment:** Run ChromaDB locally without network exposure.
- **Model Security:** Avoid using `trust_remote_code` with untrusted or public model repositories.
## Detection
- **Indicators of Compromise:**
- Unexpected outbound HTTP/HTTPS requests from the ChromaDB server to Hugging Face or unknown external IP addresses.
- HTTP 500 errors in server logs following requests to model-loading endpoints.
- Presence of unauthorized model artifacts in the server's cache/temp directories.
- **Detection Methods:**
- Monitor network traffic for unauthorized egress.
- Audit API logs for unusual model-setting parameters sent to authenticated endpoints by unauthenticated users.
## References
- HiddenLayer Research: hxxps[://]www[.]hiddenlayer[.]com/research/chromatoast-served-pre-auth
- ChromaDB GitHub: hxxps[://]github[.]com/chroma-core/chroma
- BleepingComputer Advisory: hxxps[://]www[.]bleepingcomputer[.]com/news/security/max-severity-flaw-in-chromadb-for-ai-apps-allows-server-hijacking/