A max-severity vulnerability (CVE-2026-45829, CVSS 10.0) was disclosed affecting ChromaDB, the widely used open-source vector database for AI applications, allowing attackers to achieve unauthenticated remote code execution via a logic flaw in the Python FastAPI server’s authentication flow. Due to the potential for full server compromise, immediate mitigation is required for all internet-facing deployments.

About the Vulnerability: CVE-2026-45829

The issue originates from ChromaDB’s FastAPI server component, where user-controlled embedding function configuration is processed before authentication checks occur, leading to pre-authentication code execution. By sending a crafted HTTP POST request to the collection creation endpoint with a malicious HuggingFace model reference (with trust_remote_code enabled), attackers can force the server to download and execute arbitrary Python code before the request is rejected as unauthorized. No authentication is required to exploit this issue.

The following components are affected: 

  • ChromaDB Python FastAPI server, versions 1.0.0 through 1.5.8. 

ChromaDB is a core component in many AI and machine learning pipelines, used as a vector database and retrieval backend in agentic AI applications, RAG (Retrieval-Augmented Generation) systems, and semantic search services. With approximately 14 million monthly PyPI downloads, ChromaDB has a substantial footprint in enterprise AI deployments. Approximately 73% of internet-exposed ChromaDB instances are running vulnerable versions according to Shodan-based scanning data.

The vulnerability, dubbed “ChromaToast Served Pre-Auth” by its discoverers at HiddenLayer, was first reported by independent researcher Azraelxuemo in November 2025, and subsequently by HiddenLayer starting February 17, 2026. Multiple contact attempts to the ChromaDB maintainers went unanswered. ChromaDB released version 1.5.9 shortly before public disclosure, though whether this version fully addresses the vulnerability remains unconfirmed.

Risk Impact

At the time of writing, HiddenLayer has published a detailed technical analysis with proof-of-concept details, and there is no confirmed active exploitation in the wild. Regardless, the severity, ease of exploitation, and the large number of exposed instances make this vulnerability a critical risk, especially for cloud-hosted and internet-facing deployments.

Successful exploitation could allow attackers to gain full control of the server process, exfiltrate sensitive data including API keys, environment variables, and mounted secrets, and potentially move laterally across connected infrastructure, leading to service disruption, data exposure, or full infrastructure compromise.

Mitigation Recommendations

Users should upgrade to ChromaDB version 1.5.9 or later and verify the patch status. Organizations running the Python FastAPI server should immediately evaluate whether their deployments are internet-facing and take the following steps:

  • Switch to the Rust-based frontend, which is not affected by this vulnerability
  • Restrict network access to ChromaDB API ports to trusted clients only
  • Avoid exposing the Python API server to the public internet
  • Scan all ML model artifacts before runtime execution
  • Treat external model references as untrusted code sources

How can Orca help?

Orca enables customers to quickly identify assets running vulnerable versions of ChromaDB, understand their exposure in context, including internet accessibility, runtime reachability, and asset criticality, and prioritize remediation based on real risk rather than CVSS alone. Orca’s platform highlights affected assets directly in the newItem view, helping security teams focus on the most critical remediation paths first.


From the News Item in the Orca Platform