Max-severity flaw in ChromaDB for AI apps allows server hijacking By Bill Toulas May 19, 2026 06:25 PM 0 A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers. The flaw is tracked as CVE-2026-45829 and was reported to ChromaDB on February 17. It received the maximum severity score from HiddenLayer, the company that discovered it. ChromaDB is an open-source vector database and AI retrieval backend used in agentic AI and related applications. It enables retrieving semantically relevant documents during large-language model (LLM) inference. The flaw affects the codebase containing the vulnerable Python API server logic, so the PyPI package, which has nearly 14 million monthly downloads , is at risk when servers are accessible over HTTP. Users who deploy it locally without exposing the API server online along with those using the Rust front-end, are not affected by CVE-2026-45829. According to HiddenLayer, a vulnerable API endpoint marked as authenticated allows attackers to embed model settings before authentication is checked. An attacker can send a crafted request to force ChromaDB to load a malicious model from the Hugging Face platform and execute it locally. The authentication check is only performed after that step, bypassing security. “The authentication is not missing, [it’s] just in the wrong place,” explains HiddenLayer . “By the time it fires, the model has already been fetched and executed. The server rejects the request, returns a 500, and the attacker's payload has already run.” Exposure and mitigation The researchers report that the flaw was introduced in ChromaDB 1.0.0 and was unpatched in version 1.5.8. Two weeks ago, the maintainer released version 1.5.9. However, it remains unclear if the security issue has been fixed. Since February 17, HiddenLayer researchers have attempted to contact the developer multiple times over email and social media, but received no reply. BleepingComputer contacted the Chroma team about the status of CVE-2026-45829 but had not received a response by the time of publication. We will update this article if additional details become available. According to their queries on Shodan, roughly 73% of the internet-exposed instances are running a vulnerable version of Chroma. Until it becomes clear that CVE-2026-45829 has been patched, the recommendation for impacted users is to pick the Rust frontend for their deployments or avoid exposing the Python server publicly. Another mitigation is to restrict network access to the ChromaDB API port. The researchers also recommend scanning ML model artifacts before runtime because loading public models with ‘trust_remote_code’ effectively means executing untrusted code. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: 18-year-old NGINX vulnerability allows DoS, potential RCE 13-year-old bug in ActiveMQ lets hackers remotely execute commands Max severity Flowise RCE vulnerability now exploited in attacks CISA: New Langflow flaw actively exploited to hijack AI workflows New critical Exim mailer flaw allows remote code execution