ChromaDB Python FastAPI server CVE-2026-45829 — pre-auth RCE via embedding-function model loading before auth check (CVSS 4.0 = 10.0); v1.5.9 unpatched at disclosure; Hadrian/HiddenLayer PoC public

cve · item:chromadb-cve-2026-45829-python-fastapi-pre-auth-rce-hidden-l

Coverage timeline

first 2026-05-21 → last 2026-05-21

Briefs

1 distinct

Sources cited

2 hosts

Sections touched

trending_vulns

Co-occurring entities

no co-occurrence

Story timeline

2026-05-21CTI Daily Brief — 2026-05-21
trending_vulnsFirst coverage. POST /api/v2/.../collections with trust_remote_code:true + attacker HF model identifier executes Python before auth check fires; chromadb[server] Python FastAPI server only (Rust server unaffected); ~73% of internet-accessible ChromaDB deployments use Python; AI/RAG infrastructure exposure.

Where this entity is cited

trending_vulns1

Source distribution

bleepingcomputer.com1 (50%)
hadrian.io1 (50%)

External references

NVD · cve.org · CISA KEV

All cited sources (2)

Items in briefs about ChromaDB Python FastAPI server CVE-2026-45829 — pre-auth RCE via embedding-function model loading before auth check (CVSS 4.0 = 10.0); v1.5.9 unpatched at disclosure; Hadrian/HiddenLayer PoC public

No parsed item heading or body matches this entity yet. Items match by exact CVE id (for CVE entities), by lead-segment substring of the title in the item heading or body, or by a distinctive anchor token from the title appearing in the item heading. Coverage that lives inside a broader section (no per-item heading) is captured by the Story timeline above.