Researchers disclosed CVE-2026-45829, a maximum-severity flaw in ChromaDB's Python FastAPI server that can let unauthenticated attackers force the server to fetch and execute a malicious Hugging Face model. The bug affects the Python API code introduced in ChromaDB 1.0.0 and was reportedly still present in 1.5.8; it was unclear at publication whether 1.5.9 fixed it. HiddenLayer said about 73% of internet-exposed instances were running vulnerable versions.
Why it matters: Organizations exposing ChromaDB's Python API over HTTP could face full server compromise without authentication. Defenders should immediately restrict exposure, prefer the Rust frontend where possible, and verify whether deployed versions are patched.
Bill Toulas
2026.05.19
100% relevant
This article appears to be the initial tracked report for CVE-2026-45829 in ChromaDB and does not match any existing story in the list.
← Back to all stories