Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
CVE-2026-45829: ChromaDB Python project: Unauthenticated code execution
CVE-2026-45829
GHSA-f4j7-r4q5-qw2c
GHSA-f4j7-r4q5-qw2c
Summary
The ChromaDB Python project, version 1.0.0 or later, is vulnerable to a security threat. An attacker can send malicious data to the database, allowing them to run any code on the server without needing a password. To protect your server, update to the latest version of ChromaDB.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | chromadb | >= 1.0.0, <= 1.5.9 |
Original title
ChromaDB Python project has a pre-authentication code injection vulnerability
Original description
A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.
nvd CVSS4.0
10.0
Vulnerability type
CWE-94
Code Injection
Published: 18 May 2026 · Updated: 29 May 2026 · First seen: 18 May 2026