CVE-2026-45829
Published: 18 May 2026
Summary
CVE-2026-45829 is a critical-severity Code Injection (CWE-94) vulnerability in Hiddenlayer (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Similarity Search; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A pre-authentication code injection vulnerability affects ChromaDB Python project versions 1.0.0 and later. The flaw, tracked as CWE-94, resides in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint and permits an attacker to supply a malicious model repository together with trust_remote_code set to true, resulting in arbitrary code execution on the server.
An unauthenticated remote attacker can exploit the issue over the network by crafting a request that triggers the code path during collection operations. Successful exploitation grants full control of the server process, enabling data exfiltration, persistence, or further lateral movement within the environment. The vulnerability carries a CVSS 4.0 score of 10.0, reflecting the absence of required authentication, privileges, or user interaction.
Public references consist of a GitHub issue and research published by HiddenLayer under the title “chromatoast-served-pre-auth,” which document the root cause and proof-of-concept details. The associated EPSS score stands at 0.0966 with no material increase from its observed peak, indicating moderate but stable exploitation interest since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-30779
Vulnerability details
A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections…
more
endpoint.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Similarity Search
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: chromadb
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Pre-auth code injection (CWE-94) in public ChromaDB API endpoint directly enables remote code execution via exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks on the /api/v2/.../collections endpoint before any model repository or trust_remote_code parameter is processed.
Requires validation of all inputs (model repository URL and trust_remote_code flag) to block the malicious values that trigger arbitrary code execution.
Mandates identification and authentication of every user or client before the vulnerable collection-creation code path can be reached.