VYPR
← All advisories
Critical severityNVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-45833

CVE-2026-45833

Description

Authenticated users with UPDATE_COLLECTION permission can achieve RCE via code injection during embedding function model loading in ChromaDB versions 0.4.17 and later.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated users with UPDATE_COLLECTION permission can achieve RCE via code injection during embedding function model loading in ChromaDB versions 0.4.17 and later.

Vulnerability

A code injection vulnerability exists in ChromaDB versions 0.4.17 and later (Python package). The /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} endpoint allows users with the UPDATE_COLLECTION permission to update a collection's embedding function configuration. If trust_remote_code is set to true and a malicious model repository is specified, the build_from_config() method in the update_collection code path (referenced in chromadb/server/fastapi/__init__.py:883-919 and chromadb/api/collection_configuration.py:605-633) will instantiate arbitrary code from HuggingFace Hub, enabling remote code execution [1].

Exploitation

An attacker must be authenticated and have the UPDATE_COLLECTION permission on the target collection. No user interaction beyond the API call is required. The attacker sends a crafted HTTP PATCH request to the update_collection endpoint with a JSON payload that sets an embedding function configuration containing a malicious HuggingFace model name and trust_remote_code: true. The server-side code path loads and instantiates the model, executing attacker-supplied code before any additional validation [1].

Impact

Successful exploitation yields arbitrary code execution on the ChromaDB server, with the privileges of the server process. The attacker can achieve full compromise of confidentiality, integrity, and availability — reading or exfiltrating vector stores and other data, modifying database content, or using the server as a pivot for lateral movement. The CVSS v4.0 score is 9.4 (Critical) [1].

Mitigation

As of the published advisory (2026-06-12), no patched version has been released for ChromaDB. The recommended workaround is to restrict UPDATE_COLLECTION permissions to only trusted users via authentication and authorization controls, or to disable the use of remote embedding functions entirely by not permitting trust_remote_code: true in environments. Users should monitor the vendor for a future update. The vulnerability is not yet listed on the CISA Known Exploited Vulnerabilities catalog [1].

References
  1. HiddenLayer SAI Security Advisory | ChromaDB

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Unrestricted model instantiation in `build_from_config()` allows an attacker-controlled HuggingFace model with `trust_remote_code: true` to execute arbitrary code."

Attack vector

An authenticated attacker with the `UPDATE_COLLECTION` permission sends a crafted PATCH request to `/api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id}`. The request body includes a `new_configuration` JSON object that specifies an embedding function referencing a malicious HuggingFace model repository with `trust_remote_code: true`. The server authenticates the request first, but then passes the attacker-controlled configuration directly to `build_from_config()`, which instantiates the embedding function without any guard against remote code execution [ref_id=1]. This allows arbitrary code execution on the server.

Affected code

The vulnerable code path is in `chromadb/server/fastapi/__init__.py` in the `process_update_collection` function (lines 883-919) and the `load_update_collection_configuration_from_json` function in `chromadb/api/collection_configuration.py` (lines 605-633). The latter calls `build_from_config()` on an embedding function, passing attacker-controlled configuration that can specify a malicious HuggingFace model with `trust_remote_code: true` [ref_id=1].

What the fix does

The advisory does not include a patch diff. It states that the `update_collection` endpoint uses the same `build_from_config()` code path as CVE-2026-45829, and that "the model instantiation itself is unguarded" [ref_id=1]. The recommended remediation would be to either remove or restrict the ability to set `trust_remote_code: true` in embedding function configurations, or to validate/sanitize the model repository reference before instantiation. No official fix is published in the advisory.

Preconditions

  • authAttacker must be authenticated to the ChromaDB server
  • authAttacker must have the UPDATE_COLLECTION permission on the target collection
  • configThe server must be running ChromaDB version 0.4.17 or later
  • networkAttacker must have network access to the ChromaDB API endpoint

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.