CVE-2026-45829

Published May 18, 2026

Last updated 9 days ago

CVSS critical 10.0
ChromaDB Python Project
ChromaDB

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-45829 describes a pre-authentication code injection vulnerability found in version 1.0.0 and later of the ChromaDB Python project. This flaw allows an unauthenticated attacker to execute arbitrary code on the server. The vulnerability is exploited by sending a specially crafted malicious model repository with the `trust_remote_code` parameter set to true to the `/api/v2/tenants/{tenant}/databases/{db}/collections` endpoint. This can lead to the server loading and running the attacker's arbitrary code.

Description
A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.
Source
6f8de1f0-f67e-45a6-b68f-98777fdb759c
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
10
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Secondary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

6f8de1f0-f67e-45a6-b68f-98777fdb759c
CWE-94
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
CWE-502

Social media

Hype score
Not currently trending