Critical ChromaDB Vulnerability Exposes 73% of Deployments to Remote Code Execution Risks

A significant security vulnerability, identified as CVE-2026-45829 and commonly referred to as ChromaToast Served Pre-Auth, has been discovered in the open-source vector database ChromaDB. This database is extensively utilized in semantic search and AI-driven retrieval workflows, where embedding models convert text into numerical vectors for similarity matching.

The vulnerability resides in the ChromaDB FastAPI server, where configurations for user-controlled embedding functions can be processed prior to authentication checks. This design flaw permits unauthenticated HTTP requests to trigger remote code execution (RCE) under specific conditions related to HuggingFace model loading behavior.

Exposure Context of CVE-2026-45829

Recent security analyses reveal that a substantial number of internet-exposed ChromaDB instances may be vulnerable. Scanning data attributed to Shodan-based discovery indicates that approximately 73% of exposed ChromaDB deployments running versions 1.0.0 and later fall within the vulnerable range where the flawed embedding function behavior exists.

The issue was first introduced in ChromaDB version 1.0.0 and remains unpatched through version 1.5.8, leaving many deployments susceptible if they rely on the Python FastAPI server.

FastAPI Endpoint Behavior and ChromaToast Attack Path

Central to CVE-2026-45829 is a FastAPI route in ChromaDB:

POST /api/v2/tenants/{tenant}/databases/{db}/collections

While this endpoint is documented as requiring authentication, the FastAPI implementation processes collection creation logic before verifying user identity. In the ChromaToast scenario, an attacker can send a collection creation request without authentication credentials. This request includes an embedding function configuration that specifies a HuggingFace model controlled by the attacker. The critical parameters involved are:

• model_name: Points to a malicious or attacker-controlled HuggingFace repository.
• trust_remote_code: true: Enables execution of remote Python code from the model repository.

Despite the endpoint being labeled as authenticated, the server loads the embedding model before enforcing authentication. If the model repository contains malicious code, remote code execution occurs immediately. Only after this execution step does the FastAPI authentication check run, resulting in a failed API response. From an external perspective, the request appears rejected, but the attacker has already gained code execution.

Demonstration of CVE-2026-45829 and ChromaToast Execution Flow

The demonstration of CVE-2026-45829 highlights a critical ordering flaw in the FastAPI server behavior. When a request reaches the collection creation endpoint with a malicious embedding configuration, the server performs the following actions:

1. Accepts the request without verifying credentials.
2. Loads the embedding function using attacker-defined parameters.
3. Downloads and executes a HuggingFace model containing remote code.
4. Only afterward performs authentication validation.

This sequence results in a scenario where the response returns an error (such as HTTP 500 or authentication failure), while the attacker has already established a shell on the system.

Once executed, the attacker can access:

• Environment variables
• API keys
• Mounted secrets
• Any data stored on disk accessible to the ChromaDB process

Technical Breakdown of ChromaDB FastAPI and ChromaToast Root Cause

The root cause of CVE-2026-45829 lies in how ChromaDB FastAPI handles embedding function instantiation. Embedding models are neural networks that convert text into vectors for semantic search. ChromaDB allows users to define embedding configurations per collection, which can be dangerous if the server directly consumes client-provided configuration values and passes them into model loading functions.

A key parameter in this process is:

• trust_remote_code = true: This HuggingFace flag allows execution of custom Python code bundled inside a model repository. While intended for legitimate model customization, it effectively turns model loading into code execution.

ChromaDB performs minimal validation on this parameter, treating it as a primitive boolean. Consequently, it passes through the FastAPI request pipeline unmodified. Three registered embedding function implementations in ChromaDB forward these kwargs directly into model loading logic, creating reachable attack paths.

Authentication Ordering Bug

The most critical design issue is the timing of authentication checks. In the ChromaDB FastAPI server, authentication is executed after embedding initialization. This ordering means the model is downloaded and executed before the server determines whether the request is authorized. Even if authentication fails, the malicious payload has already executed.

This vulnerability pattern exists in both V1 and V2 API routes, and neither can be disabled independently in affected versions.

Impact of ChromaToast and CVE-2026-45829

The impact of CVE-2026-45829 is severe, resulting in unauthenticated remote code execution on systems running the ChromaDB FastAPI server. The attacker effectively gains:

• Full control of the ChromaDB process
• Access to sensitive runtime environment data
• Ability to extract stored vector database content
• Potential lateral movement into connected infrastructure

Exposure and Real-World Risk

Given the observed 73% exposure rate of vulnerable versions in internet-facing deployments, the attack surface is substantial. Systems running ChromaDB version 1.0.0 through 1.5.8 are at risk if the FastAPI service is exposed to untrusted networks.

Mitigations for CVE-2026-45829

While a complete code-level fix would involve moving authentication before any configuration parsing and stripping unsafe fields like kwargs, the vulnerability remains unpatched in version 1.5.8. Recommended mitigations include:

• Prefer the Rust-based deployment (chroma run) or official Docker images, which are not affected by this FastAPI issue.
• Restrict network access to the ChromaDB FastAPI port so only trusted clients can connect.
• Avoid exposing ChromaDB directly to the public internet.
• Treat all external model references as untrusted code execution sources.

For further details, refer to the original reporting source: thecyberexpress.com.

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.