An unaddressed vulnerability in the ChromaDB database poses a significant risk, potentially allowing unauthorized remote attackers to gain shell access and control the server process, as reported by the cybersecurity firm HiddenLayer.
Impact on AI Applications
ChromaDB, an open-source vector database, is widely utilized for developing AI applications, boasting around 13 million monthly pip downloads. Esteemed organizations such as Mintlify, Factory AI, and Weights & Biases rely on it for their operations.
The vulnerability, identified as CVE-2026-45829, also known as ChromaToast, is a pre-authentication remote code execution (RCE) flaw. If exploited, it could allow attackers to access sensitive server data, including API keys, environment variables, and sensitive files, according to HiddenLayer.
Technical Details of the Vulnerability
The flaw is attributed to two separate issues that create a larger security gap. The server’s reliance on unverified client-supplied model identifiers without authentication is at the heart of the problem, as explained by HiddenLayer.
Attackers can exploit this flaw by submitting a malicious HuggingFace model, which the server executes prior to running authentication checks, thus granting shell access, the cybersecurity firm elucidated.
HiddenLayer demonstrated this by sending a collection creation request lacking credentials but pointing to a crafted HuggingFace model. The server’s authentication occurs only after downloading and executing the model, leading to the request’s rejection, the firm detailed.
Current Mitigation and Response
All ChromaDB versions since 1.0.0 are vulnerable, impacting approximately 73% of publicly accessible deployments, according to HiddenLayer. Despite multiple attempts since February 17 to contact Chroma, the firm has not received a response. Independent researcher Azraelxuemo also reported the issue in November 2025, with no acknowledgment.
While the vulnerability remains unpatched, HiddenLayer advises restricting ChromaDB network access to trusted clients to mitigate the risk. A full code remediation would involve moving authentication checks before configuration loading and removing any ‘kwargs’ in requests, particularly in the V1 and V2 create_collection functions, but this has not been implemented as of ChromaDB version 1.5.8.
SecurityWeek has reached out to Chroma for comments regarding this vulnerability and will provide updates if a response is received.
