CVE-2026-45829
CriticalCVSS 10.0Exploitation Probability (EPSS)
Very high risk96th percentile — higher than 96% of all known CVEs
Summary
A pre-authentication code injection vulnerability in ChromaDB Python project version 1.0.0 and later allows an unauthenticated attacker to execute arbitrary code on the server by sending a malicious model repository with trust_remote_code set to true to the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.
Risk Assessment
An attacker can take over the ChromaDB server without authentication, leading to full data compromise and potential lateral movement within the internal network.
Recommendation
Immediately update ChromaDB to the latest patched version and disable the trust_remote_code option in the server configuration if not required.
Original NVD description (English source)
A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.

