ChromaDB CVE-2026-45829: Pre-Auth RCE Risk in Python Server

ChromaDB users should review exposed deployments after HiddenLayer disclosed CVE-2026-45829, a critical pre-authentication remote code execution issue in the Python FastAPI server. The bug, dubbed ChromaToast, can let an unauthenticated attacker point the server at a malicious Hugging Face model and execute code before authentication rejects the request.^[1]

This is high-signal for AI teams because ChromaDB is a widely used open-source vector database for AI applications. HiddenLayer cites 13 million monthly pip downloads and 27,500 GitHub stars, and NVD assigns the issue a CVSS 10.0 score.^[1][2] There is no public report of exploitation in the wild at publication time, but the technical detail is public and the risk is straightforward for any internet-reachable Python server.

Who is affected and what to do now

HiddenLayer says the vulnerable feature exists in ChromaDB 1.0.0 and later and remains unpatched as of 1.5.8 in the Python FastAPI server path.^[1] The Rust-based deployment path, including chroma run and Docker Hub images since 1.0.0, is described as the safer option. SecurityWeek also reports the issue as unpatched and notes that successful exploitation can expose API keys, environment variables, mounted secrets, and files reachable by the server process.^[3]

The root problem is ordering and trust. ChromaDB lets clients submit embedding-function configuration when creating a collection. In the vulnerable flow, the server loads and instantiates the model configuration before the authentication check happens. If a request includes attacker-controlled model settings and trust_remote_code: true, Python code from that model repository can run even though the API call later fails authentication.^[1]

For defenders, the first triage step is inventory. Find ChromaDB services, identify whether they run the Python FastAPI server, and confirm whether the API port is exposed beyond trusted application clients. Then check reverse proxies, Kubernetes services, firewall rules, and cloud security groups. A ChromaDB server should not be directly reachable from the internet or from broad internal networks unless there is a deliberate and authenticated access layer in front of it.

Next, review logs for unexpected collection-creation attempts, unusual model names, failed authenticated routes that still triggered outbound traffic, and connections from ChromaDB hosts to model registries. Treat suspicious activity as possible server-process compromise, because successful exploitation can give the attacker access to secrets, environment variables, mounted files, and vector-store data available to the process.

This bug also fits a broader AI security pattern: model artifacts are not just data. Loading remote model code can behave like running a package from an untrusted registry. Howtofix.guide has covered adjacent risks in Gemini CLI RCE risk for CI/CD workflows, a fake Hugging Face AI repo used as an infostealer lure, and the Mini Shai-Hulud npm and PyPI package incident. The common lesson is to treat AI dependencies and model loading paths as execution surfaces, not passive content.

Until a code-level fix lands, the practical response is to move vulnerable deployments away from the Python FastAPI server path where possible, restrict the ChromaDB API to trusted clients, remove public exposure, and monitor for suspicious model-loading behavior. If a ChromaDB host was exposed, rotate secrets reachable from that process after investigating logs and filesystem access.

References

1. HiddenLayer. ChromaToast Served Pre-Auth. Published May 18, 2026.
2. NVD. CVE-2026-45829 Detail. Published May 18, 2026.
3. SecurityWeek. Unpatched ChromaDB Vulnerability Can Lead to Server Takeover. Published May 19, 2026.
4. Chroma GitHub. Security issue: CVE-2026-45829 / ChromaToast. Accessed May 19, 2026.