CVE-2026-45829

Published May 18, 2026

Last updated a day ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-45829 describes a pre-authentication code injection vulnerability found in version 1.0.0 and later of the ChromaDB Python project. This flaw allows an unauthenticated attacker to execute arbitrary code on the server. The vulnerability is exploited by sending a specially crafted malicious model repository with the `trust_remote_code` parameter set to true to the `/api/v2/tenants/{tenant}/databases/{db}/collections` endpoint. This can lead to the server loading and running the attacker's arbitrary code.

Description: A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.
Source: 6f8de1f0-f67e-45a6-b68f-98777fdb759c
NVD status: Awaiting Analysis

Risk scores

CVSS 4.0

Type: Secondary
Base score: 10
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity: CRITICAL

Weaknesses

6f8de1f0-f67e-45a6-b68f-98777fdb759c: CWE-94

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 9

References