Pre-Auth RCE in ChromaDB Python Server Earns 10.0 Severity

A critical vulnerability in ChromaDB disclosed on May 19, 2026, allows unauthenticated remote attackers to execute arbitrary code on exposed API servers. Tracked as CVE-2026-45829 and designated “ChromaToast”, the 10.0 severity flaw affects the Python-based API server of the vector database. If you use this database for your RAG applications, an exposed instance is currently at risk of full system compromise.

The Authentication Bypass Logic

The vulnerability is rooted in a fundamental logic error during the handling of incoming collection creation requests. The Python server performs its authentication check after it processes client-supplied configuration settings. This oversight leaves the pre-processing phase completely exposed to unauthenticated input.

Specifically, the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint allows connecting clients to dictate model configurations, including the highly sensitive trust_remote_code parameter. An attacker can send a crafted request instructing the server to fetch and load a malicious model from a remote repository like Hugging Face. Because the server loads the configuration and executes the model’s initialization code prior to validating the user’s credentials, the malicious payload triggers immediately.

The payload executes with the exact privileges of the running ChromaDB process. Once the payload finishes executing, the server typically encounters a failure in the subsequent (and delayed) authentication check and returns a 500 internal server error, hiding the successful compromise behind standard application noise.

Scope of Exposure

The flaw impacts all versions of the ChromaDB Python project from 1.0.0 through 1.5.8. According to telemetry from cybersecurity firm HiddenLayer, which officially reported the issue to maintainers in February 2026, approximately 73% of internet-facing ChromaDB instances are running vulnerable versions.

A successful exploitation grants complete server takeover. Attackers can exfiltrate sensitive backend information, including API keys, environment variables, mounted secrets, and the underlying local file system. This level of access often serves as a pivot point for broader network intrusion.

As of the public disclosure on May 19, it remains unverified if version 1.5.9—deployed approximately two weeks prior—fully remediates the logic flaw. The maintainers have not issued an official security advisory or confirmed a patch for the vulnerability.

Mitigation Pathways

If you must operate the Python FastAPI version of ChromaDB, restrict network access immediately. The API port should never be exposed directly to the public internet. Configure your network security groups and firewalls to ensure the server is only reachable by trusted internal clients.

Architectural changes offer a more permanent defense. The Rust-based frontend and local database deployments that do not expose the API server are entirely unaffected by this vulnerability. Moving toward isolated backend services aligns with modern secure deployment patterns when choosing a vector database for enterprise usage.

If you maintain custom forks or build from source, HiddenLayer advises manually migrating the authentication verification step to occur before any configuration loading sequence. Additionally, stripping the kwargs key from incoming collection creation payloads prevents arbitrary parameter injection.

Securing vector infrastructure requires treating database APIs as heavily restricted internal services. Audit your deployment environment today to confirm that your database ports are isolated from public traffic, regardless of the version you currently run.