πŸ” CVE Alert

CVE-2026-45829

UNKNOWN 0.0
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in theΒ /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.

CWE CWE-94
Vendor chroma
Product chromadb
Published May 18, 2026
Last Updated May 19, 2026
Stay Ahead of the Next One

Get instant alerts for chroma chromadb

Be the first to know when new unknown vulnerabilities affecting chroma chromadb are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

Chroma / ChromaDB
1.0.0 ≀ *

References

NVD β†— CVE.org β†— EPSS Data β†—
hiddenlayer.com: https://www.hiddenlayer.com/research/chromatoast-served-pre-auth github.com: https://github.com/chroma-core/chroma/issues/6717

Credits

Esteban Tonglet