Copyright © 2012 Red Hat, Inc. All rights reserved. Critical 2026-05-18T15:59:22 chromadb: ChromaDB Python Project: Arbitrary code execution via pre-authentication code injection 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CWE-502

A flaw was found in the ChromaDB Python project. This pre-authentication code injection vulnerability allows an unauthenticated attacker to execute arbitrary code on the server. The attacker can achieve this by sending a malicious model repository to the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint, provided that trust_remote_code is set to true. This could lead to complete compromise of the affected system.

Red Hat Enterprise Linux AI (RHEL AI) 3 Not affected rhelai3/bootc-cuda-rhel9 Red Hat Enterprise Linux AI (RHEL AI) 3 Not affected rhelai3/bootc-gaudi-rhel9 Red Hat Enterprise Linux AI (RHEL AI) 3 Not affected rhelai3/bootc-rocm-rhel9 Red Hat Enterprise Linux AI (RHEL AI) 3 Not affected rhelai3/disk-image-cuda-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-45829 https://nvd.nist.gov/vuln/detail/CVE-2026-45829 https://github.com/chroma-core/chroma/issues/6717 https://www.hiddenlayer.com/research/chromatoast-served-pre-auth