Unpatched ChromaDB Vulnerability Can Lead to Server Takeover
A critical unpatched vulnerability in ChromaDB, CVE-2026-45829, allows unauthenticated remote attackers to execute arbitrary code and fully compromise servers running the popular AI vector database.
A critical unpatched vulnerability in ChromaDB, an open-source vector database widely used in AI applications, could allow remote, unauthenticated attackers to spawn a shell and take full control of the server process, according to researchers at HiddenLayer.
Tracked as CVE-2026-45829 and dubbed 'ChromaToast,' the pre-authentication remote code execution (RCE) flaw affects all ChromaDB versions since 1.0.0. HiddenLayer estimates that roughly 73% of internet-accessible ChromaDB deployments are vulnerable. The database has approximately 13 million monthly pip downloads and is used by high-profile organizations including Mintlify, Factory AI, and Weights & Biases.
The root cause of the vulnerability lies in two compounding failures: the server trusts client-supplied model identifiers without restriction and acts on that trust before authenticating the user. An unauthenticated attacker can trigger the flaw by sending a collection creation request that points to a malicious HuggingFace model. The server accepts the request, downloads the model, and executes it—all before running its authentication check, which then rejects the request. By that point, the attacker has already gained shell access.
Successful exploitation provides the attacker with full control of the server process and access to everything it can reach, including API keys, environment variables, mounted secrets, and all files on the disk. This could lead to complete server takeover and data exfiltration.
HiddenLayer says it attempted to report the issue to Chroma multiple ChromaDB contacts via several channels starting February 17, but received no response. Independent researcher Azraelxuemo reported the flaw in November 2025 and also received no reply. As of ChromaDB version 1.5.8, no patch has been released.
While unpatched, the vulnerability potentially exposes vulnerable ChromaDB deployments to takeover attacks. HiddenLayer recommends restricting network access to ChromaDB to trusted clients only as a mitigation. Full remediation would require moving the authentication check before configuration loading and stripping keys named 'kwargs' from requests in both the V1 and V2 create_collection handles.
This disclosure highlights a growing concern around security in AI infrastructure components. As vector databases like ChromaDB become integral to AI pipelines, unpatched vulnerabilities that allow unauthenticated RCE pose a significant risk to organizations relying on these systems for sensitive data processing.
BleepingComputer reports that the flaw, now assigned CVE-2026-45829, was introduced in ChromaDB 1.0.0 and remains unpatched in version 1.5.8. HiddenLayer researchers have been unable to reach the maintainer since reporting the issue on February 17, and version 1.5.9, released two weeks ago, may not address the vulnerability. Shodan scans show roughly 73% of internet-exposed instances run a vulnerable version, and the PyPI package sees nearly 14 million monthly downloads.