Unpatched ChromaDB flaw leaves servers open to remote code execution
Summary
ChromaDB, a popular vector database used in AI applications, has a critical vulnerability (CVE-2026-45829) that allows unauthenticated attackers to run arbitrary code on servers. The flaw exists because ChromaDB checks authentication after it has already downloaded and executed a malicious model from Hugging Face, meaning attackers can trick the system into running their code by uploading a malicious model and requesting ChromaDB to use it.
Solution / Mitigation
Until a patch becomes available, researchers advise: (1) deploy ChromaDB using the Rust implementation instead of the Python FastAPI server, as the Rust version is not affected, and (2) restrict network access to the ChromaDB port to trusted IP addresses only.
Classification
Affected Vendors
Related Issues
Original source: https://www.csoonline.com/article/4175958/unpatched-chromadb-flaw-leaves-servers-open-to-remote-code-execution.html
First tracked: May 21, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%