How is CVE-2026-45833 exploited?

Network reachability (required): The ChromaDB API endpoint is exposed over the network, so the attacker must be able to reach the service via HTTP from a remote host. Authentication (required): A low-privilege account holding the UPDATE_COLLECTION permission is sufficient; no admin credentials are needed. Victim interaction (not-required): The attacker sends a crafted API request directly to the server; no user action or social engineering is involved. Attack complexity (info): Exploitation is reliable and condition-free; the attacker simply supplies a malicious model repository path with trust_remote_code set to true in a standard API call.

What is the impact of CVE-2026-45833?

The attacker executes arbitrary code in the context of the ChromaDB server process, with full access to its runtime environment. All data stored in ChromaDB collections is readable, including embeddings, metadata, and any documents indexed by the application. The attacker can modify or delete collection data, corrupting the vector store and any downstream application that depends on it. If the ChromaDB process runs with elevated host permissions or shares a network with other services, the attacker can pivot further into the surrounding infrastructure.

Back to search

CRITICALCVE-2026-45833Published 2026-06-12Modified 2026-06-12CNA HiddenLayer

CVE-2026-45833: A code injection vulnerability in version 0

A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} if they have the UPDATE_COLLECTION permission.

CVSS v4.0: 9.4
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A code injection vulnerability in ChromaDB (version 0.4.17 and later) allows an authenticated attacker to execute arbitrary code on the server. The attack is reachable over the network and requires only a low-privilege account with UPDATE_COLLECTION permission; no victim interaction is needed. Successful exploitation gives the attacker full remote code execution on the host running ChromaDB. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-45833 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle ChromaDB. Any image found running ChromaDB 0.4.17 or later is flagged for triage immediately.

Available

Triage

HarborGuard is capable of scoring this CVE at its CVSS v4.0 severity of 9.4 (Critical) and weighting that score against each environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the ChromaDB advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated release appears. In the meantime, customers can apply compensating controls such as network-policy isolation of ChromaDB endpoints and restriction of UPDATE_COLLECTION permissions to the minimum required set of service accounts.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The ChromaDB API endpoint is exposed over the network, so the attacker must be able to reach the service via HTTP from a remote host.
AuthenticationRequired
A low-privilege account holding the UPDATE_COLLECTION permission is sufficient; no admin credentials are needed.
Victim interactionNot required
The attacker sends a crafted API request directly to the server; no user action or social engineering is involved.
Attack complexityDetail
Exploitation is reliable and condition-free; the attacker simply supplies a malicious model repository path with trust_remote_code set to true in a standard API call.

Blast Radius

The attacker executes arbitrary code in the context of the ChromaDB server process, with full access to its runtime environment.
All data stored in ChromaDB collections is readable, including embeddings, metadata, and any documents indexed by the application.
The attacker can modify or delete collection data, corrupting the vector store and any downstream application that depends on it.
If the ChromaDB process runs with elevated host permissions or shares a network with other services, the attacker can pivot further into the surrounding infrastructure.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45833 is active now, and any image containing an affected ChromaDB version is surfaced in the customer dashboard with a Critical severity rating. Because no upstream patch exists, HarborGuard will continue polling the ChromaDB advisory on every ingest cycle and will automatically initiate the rebuild-and-PR flow (for customers with auto-remediation enabled) the moment a fixed version is published. While waiting for an upstream fix, customers are encouraged to use network policies to restrict access to ChromaDB API endpoints to trusted service accounts only, revoke UPDATE_COLLECTION permissions from accounts that do not strictly require them, and consider disabling or gating any feature path that sets trust_remote_code to true until a patch is available.

See how HarborGuard automates this

Affected packages

Chroma / ChromaDB
≤ *

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

hiddenlayer.com

Metrics

Get notified