Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-06-12T15:16:33 chromadb: ChromaDB: Arbitrary Code Execution via Code Injection 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CWE-94

A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} if they have the UPDATE_COLLECTION permission.

A flaw was found in the ChromaDB Python project. An authenticated attacker with UPDATE_COLLECTION permission could exploit a code injection vulnerability. By sending a malicious model repository to a specific API endpoint with trust_remote_code enabled, the attacker can execute arbitrary code on the server. This could lead to a complete compromise of the affected system.

This is a post-authentication ChromaDB FastAPI flaw: exploitation requires a valid user with UPDATE_COLLECTION and a crafted request that sets trust_remote_code: true on a malicious HuggingFace model. It is not unauthenticated remote code execution. RH AI products ship a vulnerable chromadb version but do not expose the Chroma FastAPI API as the default product surface. RHOAI AutoRAG uses Llama Stack with Milvus/pgvector; RHEL AI bootc images include chromadb as a library dependency, not a network-facing Chroma server. Without a customer or misconfiguration that runs and exposes the Chroma Python server to untrusted users, the upstream attack path is not reachable. Upstream CVSS 9.4 Critical assumes network access to Chroma’s API with exploitable permissions. That does not match default RHOAI/RHEL AI architecture, so Important is the appropriate RH impact. To mitigate this issue, ensure that the `trust_remote_code` setting in ChromaDB is disabled. This setting prevents the execution of arbitrary code from remote model repositories. Consult ChromaDB documentation for specific configuration instructions to disable `trust_remote_code`. If the ChromaDB service is restarted or reloaded, verify that the setting remains disabled. Red Hat Enterprise Linux AI (RHEL AI) 3 Affected rhelai3/bootc-cuda-rhel9 Red Hat Enterprise Linux AI (RHEL AI) 3 Affected rhelai3/bootc-gaudi-rhel9 Red Hat Enterprise Linux AI (RHEL AI) 3 Affected rhelai3/bootc-rocm-rhel9 Red Hat Enterprise Linux AI (RHEL AI) 3 Affected rhelai3/disk-image-cuda-rhel9 Red Hat OpenShift AI (RHOAI) Affected rhoai/odh-autorag-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-45833 https://nvd.nist.gov/vuln/detail/CVE-2026-45833 https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-5