CVE-2026-45829 is a max-severity flaw in ChromaDB’s Python FastAPI server that can let unauthenticated attackers execute arbitrary code on exposed systems. HiddenLayer says the issue affects internet-facing deployments of ChromaDB 1.0.0 through 1.5.8, while local installs and the Rust frontend are not impacted. #CVE-2026-45829 #ChromaDB #HiddenLayer
Keypoints
- CVE-2026-45829 affects the Python API server in ChromaDB.
- Attackers can trigger arbitrary code execution without authentication on exposed servers.
- The flaw lets a crafted request load a malicious model from Hugging Face before auth checks run.
- ChromaDB versions from 1.0.0 through 1.5.8 are reported as vulnerable, and 1.5.9 may still need confirmation.
- Users should avoid exposing the Python server publicly, use the Rust frontend, and restrict access to the API port.