CVE-2026-45829 is a CVSS 10.0 unauthenticated remote code execution vulnerability in ChromaDB’s Python FastAPI server, initially disclosed by HiddenLayer on 18 May and followed by a detailed Cloud Security Alliance advisory on 20 May. The vulnerability allows an attacker to execute arbitrary code on the ChromaDB server before any authentication check fires, using a maliciously crafted model fetched from HuggingFace or a controlled model repository.
ChromaDB is the most widely deployed open-source vector database for AI and retrieval-augmented generation (RAG) applications. RAG pipelines use vector databases to store document embeddings that large language models query to augment their responses with up-to-date or organisation-specific context. An exploited ChromaDB instance gives an attacker access to all embedded documents — which may contain sensitive proprietary information, customer data, or intellectual property — as well as code execution on the host and potential pivot to connected AI inference infrastructure.
Vulnerability Mechanics
The vulnerability exists in ChromaDB’s Python FastAPI server (versions 1.0.0 through 1.5.8). ChromaDB’s server supports loading embedding models from HuggingFace to process document collections. The model loading pathway is handled by a FastAPI endpoint that accepts a repository reference and fetches the specified model before applying authentication controls.
An attacker can submit a request specifying a controlled or malicious HuggingFace repository as the model source. When ChromaDB fetches and loads the model, the deserialization of the malicious model file (using pickle-based serialization common in Python ML frameworks) executes attacker-controlled Python code in the ChromaDB server process. Authentication controls are never evaluated because the code execution occurs during the model loading stage, before the request reaches authenticated endpoints.
The Rust-based ChromaDB server is not affected — the vulnerability is specific to the Python FastAPI implementation.
Exposure Scope
HiddenLayer’s Shodan analysis found approximately 73% of publicly discoverable ChromaDB deployments using the affected Python FastAPI server. ChromaDB is commonly deployed without authentication in development and internal environments on the assumption that network-level controls provide sufficient isolation. However, misconfiguration and cloud security group errors frequently expose these deployments to the internet.
In enterprise RAG deployments, ChromaDB typically contains embeddings of internal documents — knowledge bases, documentation, customer records, code repositories — making it a high-value intelligence collection target in addition to a code execution entry point.
No Patch Available
The ChromaDB maintainers have not released a patched version as of 20 May. The disclosure was coordinated with the ChromaDB team prior to publication, but no patch release timeline has been communicated publicly.
The Rust server is unaffected and represents a migration path rather than a patch for existing Python server deployments.
Immediate Mitigations
Block internet access to ChromaDB ports: ChromaDB’s default port (8000) and any custom port configured for the FastAPI server should not be accessible from untrusted networks. Check cloud security groups, network ACLs, and firewall rules for any rules permitting inbound access to ChromaDB ports from the internet or from untrusted network segments.
Disable model loading from external sources: In environments where document embedding is handled at ingest time and model loading from external repositories is not required at runtime, configure ChromaDB to reject external model load requests. This eliminates the specific attack vector without requiring a server migration.
Audit for exploitation indicators: Review ChromaDB server logs for requests to the model-loading endpoint from unexpected sources. Check for unexpected processes spawned from the ChromaDB server process and unexpected outbound network connections from the host.
Evaluate migration to Rust server: For environments where the Python FastAPI server is in use and the Rust migration is feasible, the Rust implementation is the definitive remediation path until a patched Python version is available.
Inventory all ChromaDB deployments: In enterprise environments where AI development is distributed across teams, shadow ChromaDB instances are common. Conduct a network scan for open ports on ChromaDB’s default configuration to identify unregistered instances.
Share this article