A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.
References
Configurations
No configuration.
History
27 Jun 2026, 05:16
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-502 | |
| References |
|
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 10.0 |
19 May 2026, 14:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://www.hiddenlayer.com/research/chromatoast-served-pre-auth - |
18 May 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-18 17:16
Updated : 2026-06-27 05:16
NVD link : CVE-2026-45829
Mitre link : CVE-2026-45829
CVE.ORG link : CVE-2026-45829
JSON object : View
Products Affected
No product.
