Critical Vulnerability in ChromaDB Puts AI Applications at Risk of Server Hijacking

A critical vulnerability has been discovered in the most recent Python FastAPI version of the popular ChromaDB project, potentially enabling unauthorized individuals to execute arbitrary code on vulnerable servers.

Identified as CVE-2026-45829, this flaw was brought to ChromaDB’s attention on February 17 by HiddenLayer, the security company that detected it. The severity of the vulnerability prompted HiddenLayer to assign it the highest possible severity rating.

ChromaDB, an open-source vector database and AI retrieval backend primarily utilized in agentic AI applications, facilitates the retrieval of semantically relevant documents during the inference process of large-language models (LLMs).

The vulnerability specifically impacts the codebase housing the susceptible Python API server logic, putting the PyPI package – with an impressive nearly 14 million monthly downloads – at risk when servers are accessible via HTTP.

Users who deploy ChromaDB locally without exposing the API server to the internet, as well as those leveraging the Rust front-end, are not susceptible to CVE-2026-45829.

According to HiddenLayer’s findings, a vulnerable API endpoint marked as authenticated permits attackers to inject model settings before the authentication process is initiated.

Exploiting this flaw, an attacker can send a tailored request to prompt ChromaDB to load a malicious model from the Hugging Face platform and execute it locally. The authentication check occurs only after this step, effectively circumventing security measures.

“The authentication is not absent, but rather misplaced,” HiddenLayer clarifies. “By the time it triggers, the model has already been fetched and executed. The server rejects the request, returns a 500 error, and the attacker’s payload has already been executed.”

Exposure and Remediation

The vulnerability was introduced in ChromaDB 1.0.0 and remained unpatched until version 1.5.8. A recent release, version 1.5.9, has been made available by the maintainer, although it is uncertain whether this update addresses the security issue.

Since February 17, HiddenLayer researchers have made numerous attempts to reach out to the developer via email and social media, yet no response has been received thus far.

When BleepingComputer reached out to the Chroma team for an update on the status of CVE-2026-45829, no response was provided at the time of publication. Any further developments will be included in this article.

Based on Shodan queries, approximately 73% of publicly accessible instances on the internet are running an outdated and vulnerable version of Chroma.

Until confirmation of a patch for CVE-2026-45829, impacted users are advised to opt for the Rust frontend for their deployments or avoid exposing the Python server to the public. Additionally, restricting network access to the ChromaDB API port can serve as a supplementary mitigation measure.

The researchers also recommend preemptively scanning ML model artifacts before runtime, as loading public models with ‘trust_remote_code’ essentially equates to executing untrusted code.