ctipilot.ch

ChromaDB Python FastAPI server pre-auth RCE via embedding-function model loading before auth check (CVSS 4.0 = 10.0; v1.5.9 unpatched at disclosure)

cve · CVE-2026-45829 single-source

Coverage timeline
2
first 2026-05-18 → last 2026-05-25
Entries
2
2 distinct days
Sources cited
2
2 hosts
Sections touched
2
trending-vulnerabilities, weekly-vuln-rollup
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-21CVE-2026-45829 — ChromaDB Python FastAPI server: pre-auth RCE via embedding-function model loading before auth check (CVSS 4.0 = 10.0; still unpatched in v1.5.9)
    trending-vulnerabilitiesCVE-2026-45829 — ChromaDB Python FastAPI server: pre-auth RCE via embedding-function model loading before auth check (CVSS 4.0 = 10.0; still unpatched in
  2. 2026-05-18CVE-2026-45829 — ChromaDB Python server: pre-auth RCE before the auth check, still unpatched
    weekly-vuln-rollupCVE-2026-45829 — ChromaDB Python server: pre-auth RCE before the auth check, still unpatched

Where this entity is cited

  • weekly-vuln-rollup1
  • trending-vulnerabilities1

Source distribution

  • bleepingcomputer.com1 (50%)
  • hadrian.io1 (50%)

Entries about ChromaDB Python FastAPI server pre-auth RCE via embedding-function model loading before auth check (CVSS 4.0 = 10.0; v1.5.9 unpatched at disclosure) (2)

2026-05-21 · view entry permalink →

CVE-2026-45829 — ChromaDB Python FastAPI server: pre-auth RCE via embedding-function model loading before auth check (CVSS 4.0 = 10.0; still unpatched in v1.5.9)

notable vulnerability discovered 2026-05-21 05:00 UTC

HiddenLayer / Hadrian researchers disclosed CVE-2026-45829, a CVSS 4.0 = 10.0 pre-authentication RCE in ChromaDB's Python FastAPI server (affected from v1.0.0) (Hadrian Security, 2026-05-19; BleepingComputer, 2026-05-19). The vulnerable endpoint is POST /api/v2/tenants/{tenant}/databases/{db}/collections: when the request body sets trust_remote_code: true with an attacker-controlled HuggingFace model identifier (or a local path), the server fetches and executes the attacker-supplied Python code before the auth check fires, then politely returns 403 Forbidden after the code has run. The flaw exists only in the Python FastAPI server (chromadb[server] pip package) — the default Rust server (chroma run) does not traverse this code path. Per BleepingComputer's reporting of Shodan queries, approximately 73 % of internet-exposed ChromaDB instances are running a vulnerable version of the software. As of disclosure, ChromaDB v1.5.9 (latest) is unpatched. Mitigations: disable the Python FastAPI server and migrate to the Rust server; alternatively, block network-level access to the ChromaDB API (it should never be internet-exposed in the first place); if internal, set trust_remote_code: false server-wide via config. Detection concept — unexpected outbound network connections from ChromaDB Python server processes; child processes spawned by uvicorn / gunicorn workers with non-default lineage; access logs showing POST /api/v2/.../collections bodies referencing HuggingFace repository slugs with attacker-controlled patterns. T1190 Exploit Public-Facing Application; the impact maps to T1059.006 Python execution under the server context.

vulnerabilities rce pre-auth no-patch poc-public ai-abuse global CVE-2026-45829

2026-05-18 · view entry permalink →

CVE-2026-45829 — ChromaDB Python server: pre-auth RCE before the auth check, still unpatched

notable vulnerability discovered 2026-05-18 05:00 UTC single-source

HiddenLayer / Hadrian researchers disclosed a CVSS 10.0 pre-authentication RCE in ChromaDB's Python FastAPI server (affected from v1.0.0): the embedding-function model is loaded before the authentication check runs, so an unauthenticated request reaches code execution "before it asks who you are." Public PoC, still unpatched in v1.5.9. ChromaDB is a common vector-store backend for retrieval-augmented-generation stacks now appearing in public-sector AI pilots; any internet-reachable instance is exposed. Take ChromaDB off the public internet and front it with an authenticating reverse proxy until a fix ships.

vulnerabilities rce pre-auth no-patch poc-public ai-abuse global CVE-2026-45829