CVE-2026-45829 and the attack chain
A maximum-severity vulnerability tracked as CVE-2026-45829 in the Python FastAPI variant of the open-source ChromaDB project lets unauthenticated actors run arbitrary code on exposed servers. HiddenLayer, the security company that discovered the issue and reported it to ChromaDB on February 17, says a vulnerable API endpoint that is marked as authenticated allows an attacker to embed model settings before the authentication check runs.
According to HiddenLayer, an attacker can craft a request that forces ChromaDB to fetch a malicious model from the Hugging Face platform and load it locally. Because the code loads and executes the model before performing authentication, the attacker’s payload runs even if the server later rejects the request and returns a 500 error. That sequence—fetch, execute, then check—creates the practical server-hijack condition HiddenLayer warned about.
Which components are at risk and who is not affected
The flaw resides in the codebase that implements ChromaDB’s Python API server logic, which means the widely used PyPI package is a potential vector when that server is exposed over HTTP. The PyPI package has nearly 14 million monthly downloads, which underscores the scale of potential exposure when deployments are internet-facing.
HiddenLayer emphasizes two exclusions: users who deploy ChromaDB locally without exposing the API server online, and users who run ChromaDB with the Rust frontend are not affected by CVE-2026-45829. The problem specifically concerns the Python FastAPI server path that loads remote model code prior to performing authentication.
Patch status, timeline, and maintainer contact
HiddenLayer reports the vulnerable behavior was introduced in ChromaDB 1.0.0 and remained unpatched in version 1.5.8. Two weeks ago, the maintainer released version 1.5.9, but HiddenLayer and BleepingComputer note it is unclear from available information whether the security issue has been fixed in that release.
Since the initial February 17 disclosure, HiddenLayer researchers said they attempted to contact the project maintainer multiple times over email and social media without receiving a reply. BleepingComputer also contacted the Chroma team about CVE-2026-45829 and had not received a response by the time of publication; the outlet said it would provide updates if additional details became available.
Measured exposure and immediate mitigations
Using Shodan queries, HiddenLayer reports roughly 73% of internet-exposed Chroma instances are running a vulnerable version. Given that level of exposure, the researchers recommend concrete, short-term mitigations: deploy the Rust frontend instead of the Python FastAPI server, or avoid exposing the Python API server to the public internet. Another recommended hardening is to restrict network access to the ChromaDB API port so only trusted hosts can reach it.
HiddenLayer also advises scanning machine‑learning model artifacts before runtime. The researchers underline that loading public models with the configuration option 'trust_remote_code' effectively equates to executing untrusted code, and should be treated as such in any threat model.
What this means for technologists, affected enterprises, and adversaries
- Technologists and security teams: Validate whether any deployed ChromaDB instances use the Python FastAPI server and are reachable over HTTP; prioritize restricting network access or switching to the Rust frontend. Scan model artifacts and audit any use of 'trust_remote_code' in pipelines.
- Affected enterprises and deployment owners: If your deployment uses the PyPI package, assume exposure until you can verify the ChromaDB version and whether 1.5.9 or a later release actually remediates CVE-2026-45829. Apply network restrictions or take the Python server offline for public traffic while you investigate.
- Adversaries and threat actors: The reported chain—forcing a remote model load before authentication—offers a repeatable pattern that opportunistic attackers could attempt against internet-facing, unpatched instances, particularly where public model fetching and 'trust_remote_code' are allowed.
For now, the record is straightforward: a critical flaw was reported on February 17; it affects the Python FastAPI server path used by the widely downloaded PyPI package; and researchers see significant internet exposure. The practical mitigations—use the Rust frontend, do not expose the Python API publicly, restrict API port access, and scan model artifacts before runtime—are immediate and implementable. What remains to be seen is whether the maintainer’s 1.5.9 release closes the hole; HiddenLayer and BleepingComputer are still awaiting clear confirmation.
Original reporting: https://www.bleepingcomputer.com/news/security/max-severity-flaw-in-chromadb-for-ai-apps-allows-server-hijacking/




