A critical authentication bypass vulnerability facilitating unauthenticated remote code execution (RCE) has been isolated within the ChromaDB architecture. The flaw, cataloged under the identifier CVE-2026-45829, has been assigned the maximum possible CVSS severity score of 10.0 and remains unmitigated within the current stable version 1.5.8 distribution.
ChromaDB operates as an open-source vector database engine, heavily leveraged across the artificial intelligence sector to orchestrate semantic similarity searches over high-dimensional datasets. The platform maintains substantial industry footprint among enterprise developers, recording approximately 13 million monthly downloads alongside 27,500 GitHub stars, with its production deployment base featuring prominent corporate entities such as Capital One and UnitedHealthcare.
The underlying architectural defect afflicts ChromaDB’s Python-based FastAPI server implementation. The runtime environment inadvertently authorizes the ingestion and execution of user-specified embedding functions prior to executing identity validation checks. To weaponize this vector, an unauthenticated adversary requires only standard HTTP line-of-sight to the ChromaDB Application Programming Interface (API) to transmit a meticulously malformed collection-creation payload.
The vulnerability stems from the precise methodology ChromaDB implements to initialize embedding models. These specialized machine learning architectures translate unstructured text into high-dimensional numerical vectors, empowering the underlying datastore to execute semantic reconciliation even absent exact keyword matches. When initializing a novel document collection, the client specifies the destination model architecture alongside its corresponding compilation parameters. The server ingests these configuration variables directly from the HTTP request body, subsequently querying the Hugging Face repository to fetch and initialize the specified weights.
The primary hazard is introduced by the unvalidated passage of the trust_remote_code configuration flag. Within the Hugging Face ecosystem, this specific parameter explicitly explicitly authorizes the downstream downloading and execution of arbitrary Python code embedded natively inside the model’s repository tree. While historically required to accommodate highly customized or non-standard neural network architectures, parsing an unvetted repository under this paradigm transforms standard model loading into an un-sandboxed arbitrary code execution loop. ChromaDB permits the injection of this parameter because its validation logic verifies only the structural data type of the input, treating the boolean value true as perfectly legitimate.
The secondary dimension of the failure involves a severe flaw in the sequential execution pipeline of the API endpoint. Although the target route for collection creation is explicitly decorated to mandate formal user authentication, the FastAPI routing engine parses the incoming configuration model and initiates the remote model download sequence prior to executing the authorization handshake. Consequently, while an unauthenticated request is ultimately rejected with an access-denied status code at the terminus of the execution chain, the weaponized payload has already achieved memory-resident execution. From an external logging perspective, the incursion mirrors a standard, failed API invocation, while the adversary successfully intercepts the host server process.
Upon achieving successful exploitation, the adversary inherits the absolute privilege boundary of the underlying ChromaDB process, granting unhindered access to localized environment variables, third-party API tokens, embedded secret stores, and raw data volumes residing upon physical storage media.
According to threat intelligence telemetry released by HiddenLayer, the security regression was introduced natively in ChromaDB version 1.0.0 and persists through the current 1.5.8 release candidate. Public scanning queries executed via the Shodan search engine revealed that 73% of publicly exposed, internet-facing ChromaDB instances are running version 1.0.0 or subsequent iterations, placing a vast majority of the global deployment footprint directly within the exposure zone.
A definitive upstream remediation patch remains outstanding. The authors of the disclosure advise that ChromaDB must fundamentally restructure its middleware stack to enforce rigorous identity and access management (IAM) validation prior to parsing configuration blocks, while categorically blacklisting the passage of execution-grade parameters during runtime collection initialization. Until an official security update is distributed, system administrators are strongly urged to migrate deployments toward the Rust-based execution path—encompassing the native chroma run command architecture and official Docker Hub container images minted from version 1.0.0 onward—as this parallel ecosystem remains completely unaffected. For organizations bound to the Python FastAPI server implementation, access to the core ChromaDB network port must be aggressively firewalled, restricting ingress exclusively to authenticated, trusted internal clients.
The discovery team initially transmitted a confidential vulnerability disclosure to the ChromaDB maintainers on February 17, 2026. Following a persistent lack of engagement, the analysts initiated successive escalation sequences through alternative communication corridors, including the IT-ISAC consortium and secure social networks, with the final unacknowledged outreach attempt logged on April 16, 2026.
