Critical ChromaDB Vulnerability Exists in Collections API Endpoint

Threat: Vulnerability

Targeted Region: Global

Targeted Sector: Technology & IT

Criticality: Critical

[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-45829 with a CVSS score of 10.0 is a critical pre-authentication remote code execution (RCE) vulnerability in ChromaDB that allows an unauthenticated attacker to fully compromise a server by sending a specially crafted request to the collections API endpoint. The flaw occurs because ChromaDB processes user-controlled model or embedding configurations—such as a malicious Hugging Face repository—with trust_remote_code enabled before authentication checks are enforced, effectively executing attacker-supplied code on the host. Successful exploitation can lead to complete server takeover, including access to environment variables, API keys, sensitive files, and potential lateral movement within connected AI/ML infrastructure. The issue is considered critical due to its unauthenticated nature, low complexity, and high impact on confidentiality, integrity, and availability.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

RECOMMENDATION:

We strongly recommend you update ChromaDB to below version: https://github.com/chroma-core/chroma/releases

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/chromadb-pre-auth-rce-vulnerability-cve-2026-45829/

[/emaillocker]

Recent Advisories

SEPPmail Gateway Vulnerabilities Allow Remote Execution

May 21, 2026

FreePBX Vulnerability Exposes User Control Panel Access

May 21, 2026

Algernon Vulnerabilities Leak Platform Error Pages and Script Content

May 20, 2026

zrok Vulnerability Allows Arbitrary Directory Traversal

May 20, 2026

Critical ChromaDB Vulnerability Exists in Collections API Endpoint

Recent Advisories

Report an Incident