A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers.
The flaw is tracked as CVE-2026-45829 and was reported to ChromaDB on February 17. It received the maximum severity score from HiddenLayer, the company that discovered it.
ChromaDB is an open-source vector database and AI retrieval backend used in agentic AI and related applications. It enables retrieving semantically relevant documents during large-language model (LLM) inference.
The flaw affects the codebase containing the vulnerable Python API server logic, so the PyPI package, which has nearly 14 million monthly downloads, is at risk when servers are accessible over HTTP.
Users who deploy it locally without exposing the API server online along with those using the Rust front-end, are not affected by CVE-2026-45829.
According to HiddenLayer, a vulnerable API endpoint marked as authenticated allows attackers to embed model settings before authentication is checked.
An attacker can send a crafted request to force ChromaDB to load a malicious model from the Hugging Face platform and execute it locally. The authentication check is only performed after that step, bypassing security.
“The authentication is not missing, [it’s] just in the wrong place,” explains HiddenLayer.
“By the time it fires, the model has already been fetched and executed. The server rejects the request, returns a 500, and the attacker’s payload has already run.”
Exposure and mitigation
The researchers report that the flaw was introduced in ChromaDB 1.0.0 and was unpatched in version 1.5.8. Two weeks ago, the maintainer released version 1.5.9. However, it remains unclear if the security issue has been fixed.
Since February 17, HiddenLayer researchers have attempted to contact the developer multiple times over email and social media, but received no reply.
BleepingComputer contacted the Chroma team about the status of CVE-2026-45829 but had not received a response by the time of publication. We will update this article if additional details become available.
According to their queries on Shodan, roughly 73% of the internet-exposed instances are running a vulnerable version of Chroma.
Until it becomes clear that CVE-2026-45829 has been patched, the recommendation for impacted users is to pick the Rust frontend for their deployments or avoid exposing the Python server publicly. Another mitigation is to restrict network access to the ChromaDB API port.
The researchers also recommend scanning ML model artifacts before runtime because loading public models with ‘trust_remote_code’ effectively means executing untrusted code.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
