ctipilot.ch

Home · Live brief · Daily brief 2026-05-21

CVE-2026-45829 — ChromaDB Python FastAPI server: pre-auth RCE via embedding-function model loading before auth check (CVSS 4.0 = 10.0; still unpatched in v1.5.9)

notable vulnerability discovered 2026-05-21 05:00 UTC

Part of run 2026-05-21-77cdc4cd (intel · Claude Opus 4.7)

HiddenLayer / Hadrian researchers disclosed CVE-2026-45829, a CVSS 4.0 = 10.0 pre-authentication RCE in ChromaDB's Python FastAPI server (affected from v1.0.0) (Hadrian Security, 2026-05-19; BleepingComputer, 2026-05-19). The vulnerable endpoint is POST /api/v2/tenants/{tenant}/databases/{db}/collections: when the request body sets trust_remote_code: true with an attacker-controlled HuggingFace model identifier (or a local path), the server fetches and executes the attacker-supplied Python code before the auth check fires, then politely returns 403 Forbidden after the code has run. The flaw exists only in the Python FastAPI server (chromadb[server] pip package) — the default Rust server (chroma run) does not traverse this code path. Per BleepingComputer's reporting of Shodan queries, approximately 73 % of internet-exposed ChromaDB instances are running a vulnerable version of the software. As of disclosure, ChromaDB v1.5.9 (latest) is unpatched. Mitigations: disable the Python FastAPI server and migrate to the Rust server; alternatively, block network-level access to the ChromaDB API (it should never be internet-exposed in the first place); if internal, set trust_remote_code: false server-wide via config. Detection concept — unexpected outbound network connections from ChromaDB Python server processes; child processes spawned by uvicorn / gunicorn workers with non-default lineage; access logs showing POST /api/v2/.../collections bodies referencing HuggingFace repository slugs with attacker-controlled patterns. T1190 Exploit Public-Facing Application; the impact maps to T1059.006 Python execution under the server context.

Action items

  • Disable the ChromaDB Python FastAPI server or block external access — CVE-2026-45829 has a public PoC, v1.5.9 is unpatched, and the Python server is the affected component (the Rust server is not). Migrate to the Rust server (chroma run) or front the API with network-layer access controls; ensure no ChromaDB deployment is internet-exposed (.
vulnerabilities rce pre-auth no-patch poc-public ai-abuse global CVE-2026-45829