πŸ” CVE Alert

CVE-2026-45833

UNKNOWN 0.0
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in theΒ /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} if they have the UPDATE_COLLECTION permission.

CWE CWE-94
Vendor chroma
Product chromadb
Published Jun 12, 2026
Last Updated Jun 12, 2026
Stay Ahead of the Next One

Get instant alerts for chroma chromadb

Be the first to know when new unknown vulnerabilities affecting chroma chromadb are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

Chroma / ChromaDB
0.4.17 ≀ *

References

NVD β†— CVE.org β†— EPSS Data β†—
hiddenlayer.com: https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-5