CVE-2026-45829

Vulnerability

A pre-authentication code injection vulnerability exists in the ChromaDB Python backend server (version 1.0.0 and later, up to and including version 1.5.8). The POST /api/v2/tenants/{tenant}/databases/{db}/collections endpoint processes user-controlled embedding function configuration before performing authentication checks. An attacker can set the model_name to a malicious HuggingFace model and pass trust_remote_code: true in the request. The server downloads and executes arbitrary code from HuggingFace, leading to RCE. The vulnerability is in the load_create_collection_configuration_from_json function and the code path that calls build_from_config. This only affects the Python server implementation; the default Rust server is not vulnerable [1][2].

Exploitation

An unauthenticated attacker with HTTP API access to the ChromaDB server can exploit this by sending a POST request to /api/v2/tenants/{tenant}/databases/{db}/collections (any tenant and database values are accepted) with a crafted JSON body containing an embedding function configuration that references a malicious HuggingFace repository and sets trust_remote_code to true. The server processes this configuration before authentication, downloads the model, and executes its code. The attacker does not need to provide any credentials. As shown in the reference demonstration, the server will later reject the request due to authentication failure, but the malicious code has already run [2].

Impact

On successful exploitation, an attacker gains full remote code execution on the server process. This results in complete compromise of the ChromaDB instance, including access to vector data, credentials, and the ability to pivot to internal networks. The impact is critical (CVSS score not specified by the source, but labeled as critical). The affected server runs with the privileges of the ChromaDB service user, offering potentially high-value access to the underlying operating system [2].

Mitigation

As of version 1.5.8, there is no official patch for this vulnerability. The ChromaDB project has not yet released a fixed version. Users are advised to avoid exposing the Python backend server to untrusted networks, or to use the default Rust server instead, which is not vulnerable. If the Python server must be used, restrict network access to trusted clients only and consider enforcing authentication at the network level (e.g., with a reverse proxy). The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1][2].