CVE-2026-45829 lets – A max-severity vulnerability in ChromaDB’s Python FastAPI server, tracked as CVE-2026-45829, lets unauthenticated attackers run arbitrary code on servers exposed over HTTP. Researchers say the authentication check happens too late—after a malicious model is fe
For operators running ChromaDB’s Python API server on the open web, the danger isn’t theoretical. The flaw sits in the exact path where an exposed endpoint should block access—yet the attacker’s code can still run.
HiddenLayer. the company that discovered the issue. says a max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers. The problem is tracked as CVE-2026-45829. HiddenLayer reported it to ChromaDB on February 17, and the discovery received the maximum severity score from HiddenLayer.
ChromaDB is an open-source vector database and AI retrieval backend used in agentic AI and related applications. In practice, it helps systems retrieve semantically relevant documents during large-language model inference.
The risk is tied to how the project packages and serves its vector search functionality. The vulnerable code affects the ChromaDB codebase that contains Python API server logic—meaning the PyPI package that has nearly 14 million monthly downloads is at risk when servers are accessible over HTTP.
The same report makes a key distinction: users who deploy it locally without exposing the API server online are not affected by CVE-2026-45829. Users using the Rust front-end are also not affected by the flaw.
HiddenLayer points to a specific failure mode. It says a vulnerable API endpoint marked as authenticated allows attackers to embed model settings before authentication is checked. In other words. the door is labeled “authenticated. ” but the attacker can still push their way past it—because the system processes the malicious content first.
An attacker can send a crafted request that forces ChromaDB to load a malicious model from the Hugging Face platform and execute it locally. HiddenLayer says the authentication check is only performed after that step, effectively bypassing security.
“The authentication is not missing, [it’s] just in the wrong place,” HiddenLayer explains. “By the time it fires, the model has already been fetched and executed. The server rejects the request, returns a 500, and the attacker’s payload has already run.”
That detail is likely the most unsettling part for defenders: even when the request fails from the client’s perspective, the attacker’s code may already have landed and executed on the server.
The pattern also appears in the release history. HiddenLayer reports the flaw was introduced in ChromaDB 1.0.0 and remained unpatched in version 1.5.8. Two weeks ago, the maintainer released version 1.5.9. HiddenLayer says it remains unclear if the security issue has been fixed in that update.
Since February 17, HiddenLayer researchers attempted to contact the developer multiple times over email and social media, but received no reply.
BleepingComputer contacted the Chroma team about the status of CVE-2026-45829, but had not received a response by the time of publication. The outlet says it will update the article if additional details become available.
The scale of exposure is stark. Based on HiddenLayer researchers’ queries on Shodan, roughly 73% of internet-exposed instances are running a vulnerable version of Chroma.
Until it’s clear that CVE-2026-45829 has been patched, the immediate recommendation for impacted users is to pick the Rust frontend for deployments or avoid exposing the Python server publicly. Another mitigation is to restrict network access to the ChromaDB API port.
HiddenLayer also urges defenders to scan ML model artifacts before runtime. The researchers warn that loading public models with ‘trust_remote_code’ effectively means executing untrusted code.
For teams building agentic AI systems, the lesson is not only that a vulnerability exists, but that the execution path is built around models and remote code loading—so defenders may need to treat configuration and endpoint exposure with the same seriousness as traditional application security.
ChromaDB CVE-2026-45829 FastAPI Python vector database Hugging Face ML model loading trust_remote_code cybersecurity vulnerabilities Shodan