Answer Brief
CVE-2026-45829 in ChromaDB’s Python FastAPI server allows unauthenticated remote code execution by executing malicious models from Hugging Face before authentication verification, affecting an estimated 73% of exposed instances and posing significant risk to agentic AI deployments reliant on dynamic model loading.
Signal Timeline
A quick visual path for analysts before reading the full brief.
- 1
HiddenLayer reported CVE-2026-45829 to ChromaDB maintainers
- 2
ChromaDB maintainer released version 1.5.9, approximately two weeks prior to public disclosure
- 3
BleepingComputer published details of the max-severity flaw in ChromaDB
Executive Summary: CVE-2026-45829 in ChromaDB’s Python FastAPI server allows unauthenticated remote code execution by executing malicious models from Hugging Face before authentication verification, affecting an estimated 73% of exposed instances and posing significant risk to agentic AI deployments reliant on dynamic model loading.
Why It Matters
CVE-2026-45829 represents a critical authentication sequencing flaw in ChromaDB’s Python FastAPI server where the validation of user identity occurs after the system has already fetched and executed a machine learning model from an external source. This timing vulnerability is not a missing authentication mechanism but a dangerous misordering of operations: the server processes model loading and execution via the 'trust_remote_code' parameter from Hugging Face before verifying whether the requester is authenticated. As a result, an unauthenticated attacker can submit a crafted request that triggers the retrieval and execution of a malicious model, achieving arbitrary code execution on the server even though the request is ultimately rejected with a 500 error after the payload has already run. This flaw is particularly consequential in agentic AI architectures where dynamic model loading is a core operational pattern, as it subverts the assumed trust boundary between model ingestion and code execution, transforming a routine AI workflow into a remote code execution vector. The vulnerability resides specifically in the Python-based server implementation of ChromaDB, meaning that deployments utilizing the Rust frontend or those running the Python server in isolated, non-network-exposed environments remain unaffected. However, the widespread adoption of ChromaDB amplifies the risk: the PyPI package records nearly 14 million monthly downloads, and Shodan telemetry indicates that approximately 73% of internet-exposed instances are running versions known to be vulnerable—namely, releases from 1.0.0 through 1.5.8, with uncertainty persisting about whether version 1.5.9, released roughly two weeks prior to public disclosure, includes a remediation. This ambiguity is compounded by the lack of response from the ChromaDB maintainer to multiple coordinated outreach attempts from HiddenLayer, the vulnerability’s discoverer, and BleepingComputer since the initial private report on February 17, 2026. The silence raises operational concerns about the responsiveness and maintenance rigor of critical open-source AI infrastructure, particularly when security reports involve high-severity flaws with active exploitation potential. From a defensive standpoint, this incident underscores systemic risks in AI/ML pipelines that integrate public model repositories like Hugging Face with systems that implicitly execute code during model loading. The 'trust_remote_code' flag, while enabling flexibility for advanced model architectures, introduces a latent vulnerability when paired with inadequate input validation or flawed control flow logic. Security teams must treat model loading as a potential code execution event and enforce layered mitigations: strict provenance verification for model artifacts, runtime sandboxing to isolate execution environments, egress controls to prevent unauthorized external fetches, and network-level segmentation to limit exposure of AI service endpoints. Furthermore, organizations should audit all AI/ML infrastructure components for similar authentication-bypass anti-patterns, especially where external resource loading precedes identity verification. Monitoring for anomalous model fetch requests from untrusted domains, validating the integrity and intent of model artifacts before runtime, and validating the sequencing of security checks in custom AI serving logic are essential operational practices. The ChromaDB case also highlights a broader challenge in AI security: vulnerabilities in supporting infrastructure can have outsized consequences due to the code-executing nature of modern machine learning workflows. Unlike traditional applications where a flaw might lead to data leakage or service disruption, in AI systems, a sequencing error in model loading can directly result in full server compromise. This shifts the threat model from protecting model integrity or data privacy to safeguarding the execution environment itself. As AI adoption expands into agentic systems, autonomous workflows, and retrieval-augmented generation (RAG) architectures, ensuring that authentication, authorization, and input validation occur before any external code execution becomes a foundational requirement for secure AI infrastructure design.
Event Type: security
Importance: high
Affected Companies
- ChromaDB
- HiddenLayer
- Hugging Face
Affected Sectors
- AI/ML
- Cloud Infrastructure
- Cybersecurity
Key Numbers
- Monthly PyPI downloads of ChromaDB: nearly 14 million
- Percentage of internet-exposed instances running vulnerable versions: 73%
- CVSS severity score assigned by HiddenLayer: maximum
Timeline
- HiddenLayer reported CVE-2026-45829 to ChromaDB maintainers
- ChromaDB maintainer released version 1.5.9, approximately two weeks prior to public disclosure
- BleepingComputer published details of the max-severity flaw in ChromaDB
Frequently Asked Questions
What is CVE-2026-45829 and how does it allow server hijacking in ChromaDB?
CVE-2026-45829 is a max-severity vulnerability in the Python FastAPI version of ChromaDB where an authentication check occurs after model loading, allowing unauthenticated attackers to force the server to load and execute a malicious model from Hugging Face via 'trust_remote_code' before authentication is verified, leading to arbitrary code execution.
Who is affected by the ChromaDB vulnerability and what are the recommended mitigations?
Users exposing the Python-based ChromaDB API server publicly are affected; local deployments and Rust frontend users are not. Mitigations include using the Rust frontend, avoiding public exposure of the Python server, restricting network access to the API port, and scanning ML model artifacts before runtime due to risks from 'trust_remote_code'.
Has the ChromaDB vulnerability been patched in version 1.5.9, and what is the current status of the fix?
It remains unclear whether ChromaDB version 1.5.9, released two weeks before disclosure, contains a fix for CVE-2026-45829. The maintainer has not responded to multiple outreach attempts from HiddenLayer and BleepingComputer since the vulnerability was reported on February 17, 2026.
Why does the 'trust_remote_code' flag in Hugging Face model loading pose a security risk in systems like ChromaDB?
The 'trust_remote_code' flag allows arbitrary code execution from model repositories, meaning that loading a model from Hugging Face with this flag effectively runs untrusted code. In ChromaDB, this becomes exploitable when model loading precedes authentication, turning a standard ML workflow into a remote code execution vector.
How should AI security teams assess whether their ChromaDB deployments are at risk from CVE-2026-45829?
Teams should verify if they are using the Python FastAPI-based server component of ChromaDB, whether it is exposed to untrusted networks, and which version is in use. If using versions prior to or including 1.5.8 (or uncertain about 1.5.9), and the server is publicly accessible, the instance is likely vulnerable. Switching to the Rust frontend or isolating the server behind strict network controls are recommended precautions.