CVE-2026-45829

A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.
Configurations

No configuration.

History

27 Jun 2026, 05:16

Type Values Removed Values Added
CWE CWE-502
References
  • () https://access.redhat.com/security/cve/CVE-2026-45829 -
  • () https://bugzilla.redhat.com/show_bug.cgi?id=2479623 -
  • () https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45829.json -
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 10.0

19 May 2026, 14:16

Type Values Removed Values Added
References () https://www.hiddenlayer.com/research/chromatoast-served-pre-auth - () https://www.hiddenlayer.com/research/chromatoast-served-pre-auth -

18 May 2026, 17:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-05-18 17:16

Updated : 2026-06-27 05:16


NVD link : CVE-2026-45829

Mitre link : CVE-2026-45829

CVE.ORG link : CVE-2026-45829


JSON object : View

Products Affected

No product.

CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-502

Deserialization of Untrusted Data