CVE Catalog

CVE-2026-45829

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
12.39%

96th percentile — higher than 96% of all known CVEs

Summary

A pre-authentication code injection vulnerability in ChromaDB Python project version 1.0.0 and later allows an unauthenticated attacker to execute arbitrary code on the server by sending a malicious model repository with trust_remote_code set to true to the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.

Risk Assessment

An attacker can take over the ChromaDB server without authentication, leading to full data compromise and potential lateral movement within the internal network.

Recommendation

Immediately update ChromaDB to the latest patched version and disable the trust_remote_code option in the server configuration if not required.

Original NVD description (English source)

A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS