πŸ” CVE Alert

CVE-2026-45829

CRITICAL 10.0
CVSS Score
10.0
EPSS Score
12.4%
EPSS Percentile
96th

A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in theΒ /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.

CWE CWE-94
Vendor chroma
Product chromadb
Published May 18, 2026
Last Updated Jun 29, 2026
Stay Ahead of the Next One

Get instant alerts for chroma chromadb

Be the first to know when new critical vulnerabilities affecting chroma chromadb are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

Chroma / ChromaDB
1.0.0 ≀ *

References

NVD β†— CVE.org β†— EPSS Data β†—
hiddenlayer.com: https://www.hiddenlayer.com/research/chromatoast-served-pre-auth github.com: https://github.com/chroma-core/chroma/issues/6717 access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-45829 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2479623 security.access.redhat.com: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45829.json

Credits

Esteban Tonglet