CVE Catalog

CVE-2026-45833

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

26th percentile - higher than 26% of all known CVEs

Summary

A code injection vulnerability in ChromaDB Python project version 0.4.17 and later. An authenticated attacker with UPDATE_COLLECTION permission can send a malicious model repository with trust_remote_code enabled, allowing arbitrary code execution on the server.

Risk Assessment

Risk of server compromise by an authenticated attacker, potentially leading to data theft, collection modification, or further attacks on the infrastructure.

Recommendation

Immediately update ChromaDB to the latest patched version and restrict UPDATE_COLLECTION permissions to trusted users only.

Original NVD description (English source)

A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} if they have the UPDATE_COLLECTION permission.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS