An unpatched vulnerability in ChromaDB might enable distant, unauthenticated attackers to spawn a shell and take management of the server course of, HiddenLayer stories.
ChromaDB is an open supply vector database for constructing AI purposes. It has roughly 13 million month-to-month pip downloads and is utilized by high-profile organizations, together with Mintlify, Manufacturing unit AI, and Weights & Biases.
Tracked as CVE-2026-45829 and known as ChromaToast, the pre-authentication distant code execution (RCE) flaw may very well be exploited to leak delicate data the server has entry to, together with API keys, setting variables, mounted secrets and techniques, and all recordsdata on the disk, in accordance with HiddenLayer.
“The foundation reason for CVE-2026-45829 is 2 unbiased failures that compound one another. The server trusts client-supplied mannequin identifiers with out restriction, and acts on that belief earlier than authenticating the consumer sending the request,” HiddenLayer says.
An unauthenticated attacker can set off the flaw by supplying a malicious HuggingFace mannequin that’s executed earlier than authentication checks, offering an attacker with shell entry, the cybersecurity agency explains.
HiddenLayer exploited the difficulty by sending a group creation request that didn’t comprise credentials however pointed to a crafted HuggingFace mannequin.
“Regardless of no credentials being supplied, the server accepts the request, reaches out to HuggingFace, downloads our mannequin, and executes it. It’s only then that the server runs its authentication verify and rejects the request,” the corporate explains.
Profitable exploitation of the bug supplies the attacker with full management of the server course of and with entry to every part it could attain.
The vulnerability impacts all ChromaDB iterations since model 1.0.0, and roughly 73% of the internet-accessible deployments are affected, HiddenLayer says.
The cybersecurity agency says it has tried to report the difficulty to Chroma a number of instances by way of a number of channels beginning February 17, however has acquired no response. Unbiased researcher Azraelxuemo says they reported the flaw in November 2025, however acquired no response both.
Whereas unpatched, CVE-2026-45829 probably exposes susceptible ChromaDB deployments to takeover assaults. Limiting community entry to ChromaDB to trusted purchasers solely ought to mitigate the bug, HiddenLayer notes.
“Full remediation within the code can be to maneuver the authentication verify earlier than configuration loading and stripping any keys named ‘kwargs’ from requests in each the V1 and V2 create_collection handles. Nonetheless, this isn’t patched as of ChromaDB 1.5.8,” the corporate says.
information.killnetswitch has emailed Chroma for a press release on the vulnerability and can replace this text if the corporate responds.
