{"slug": "max-severity-flaw-in-chromadb-for-ai-apps-allows-server-hijacking", "title": "Max-severity flaw in ChromaDB for AI apps allows server hijacking", "summary": "A maximum-severity vulnerability, tracked as CVE-2026-45829, has been discovered in the Python FastAPI version of the open-source AI database ChromaDB, allowing unauthenticated attackers to execute arbitrary code on exposed servers. The flaw, which affects versions from 1.0.0 onward, exploits an authentication bypass where a malicious model from Hugging Face is loaded and executed before the authentication check occurs. Users who deploy the Rust frontend or do not expose the Python API server online are not affected, and mitigation recommendations include avoiding public exposure of the Python server or restricting network access to the API port.", "body_md": "A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers.\nThe flaw is tracked as CVE-2026-45829 and was reported to ChromaDB on February 17. It received the maximum severity score from HiddenLayer, the company that discovered it.\nChromaDB is an open-source vector database and AI retrieval backend used in agentic AI and related applications. It enables retrieving semantically relevant documents during large-language model (LLM) inference.\nThe flaw affects the codebase containing the vulnerable Python API server logic, so the PyPI package, which has nearly 14 million monthly downloads, is at risk when servers are accessible over HTTP.\nUsers who deploy it locally without exposing the API server online along with those using the Rust front-end, are not affected by CVE-2026-45829.\nAccording to HiddenLayer, a vulnerable API endpoint marked as authenticated allows attackers to embed model settings before authentication is checked.\nAn attacker can send a crafted request to force ChromaDB to load a malicious model from the Hugging Face platform and execute it locally. The authentication check is only performed after that step, bypassing security.\n“The authentication is not missing, [it’s] just in the wrong place,” explains HiddenLayer.\n“By the time it fires, the model has already been fetched and executed. The server rejects the request, returns a 500, and the attacker's payload has already run.”\nExposure and mitigation\nThe researchers report that the flaw was introduced in ChromaDB 1.0.0 and was unpatched in version 1.5.8. Two weeks ago, the maintainer released version 1.5.9. However, it remains unclear if the security issue has been fixed.\nSince February 17, HiddenLayer researchers have attempted to contact the developer multiple times over email and social media, but received no reply.\nBleepingComputer contacted the Chroma team about the status of CVE-2026-45829 but had not received a response by the time of publication. We will update this article if additional details become available.\nAccording to their queries on Shodan, roughly 73% of the internet-exposed instances are running a vulnerable version of Chroma.\nUntil it becomes clear that CVE-2026-45829 has been patched, the recommendation for impacted users is to pick the Rust frontend for their deployments or avoid exposing the Python server publicly. Another mitigation is to restrict network access to the ChromaDB API port.\nThe researchers also recommend scanning ML model artifacts before runtime because loading public models with ‘trust_remote_code’ effectively means executing untrusted code.\nThe Validation Gap: Automated Pentesting Answers One Question. You Need Six.\nAutomated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.\nThis guide covers the 6 surfaces you actually need to validate.\nDownload Now", "url": "https://wpnews.pro/news/max-severity-flaw-in-chromadb-for-ai-apps-allows-server-hijacking", "canonical_source": "https://www.bleepingcomputer.com/news/security/max-severity-flaw-in-chromadb-for-ai-apps-allows-server-hijacking/", "published_at": "2026-05-19 22:25:49+00:00", "updated_at": "2026-05-20 20:08:12.261232+00:00", "lang": "en", "topics": ["cybersecurity", "artificial-intelligence", "open-source", "large-language-models", "developer-tools"], "entities": ["ChromaDB", "CVE-2026-45829", "HiddenLayer", "Python FastAPI", "Hugging Face", "PyPI"], "alternates": {"html": "https://wpnews.pro/news/max-severity-flaw-in-chromadb-for-ai-apps-allows-server-hijacking", "markdown": "https://wpnews.pro/news/max-severity-flaw-in-chromadb-for-ai-apps-allows-server-hijacking.md", "text": "https://wpnews.pro/news/max-severity-flaw-in-chromadb-for-ai-apps-allows-server-hijacking.txt", "jsonld": "https://wpnews.pro/news/max-severity-flaw-in-chromadb-for-ai-apps-allows-server-hijacking.jsonld"}}