Cyber Resilience

CVE-2026-45829

CriticalRCEUpdated

Published: 18 May 2026

Published
18 May 2026
Modified
27 June 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1239 95.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-45829 is a critical-severity Code Injection (CWE-94) vulnerability in Hiddenlayer (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Similarity Search; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A pre-authentication code injection vulnerability affects ChromaDB Python project versions 1.0.0 and later. The flaw, tracked as CWE-94, resides in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint and permits an attacker to supply a malicious model repository together with trust_remote_code set to true, resulting in arbitrary code execution on the server.

An unauthenticated remote attacker can exploit the issue over the network by crafting a request that triggers the code path during collection operations. Successful exploitation grants full control of the server process, enabling data exfiltration, persistence, or further lateral movement within the environment. The vulnerability carries a CVSS 4.0 score of 10.0, reflecting the absence of required authentication, privileges, or user interaction.

Public references consist of a GitHub issue and research published by HiddenLayer under the title “chromatoast-served-pre-auth,” which document the root cause and proof-of-concept details. The associated EPSS score stands at 0.0966 with no material increase from its observed peak, indicating moderate but stable exploitation interest since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections…

more

endpoint.

CWE(s)

AI Security AnalysisAI

AI Category
Similarity Search
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: chromadb

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Pre-auth code injection (CWE-94) in public ChromaDB API endpoint directly enables remote code execution via exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-49375Shared CWE-502, CWE-94
CVE-2026-35171Shared CWE-502, CWE-94
CVE-2025-62368Shared CWE-502
CVE-2025-54014Shared CWE-502
CVE-2026-22505Shared CWE-502
CVE-2025-53078Shared CWE-502
CVE-2026-43633Shared CWE-502
CVE-2026-25429Shared CWE-502
CVE-2025-7697Shared CWE-502
CVE-2024-10936Shared CWE-502

Affected Assets

Hiddenlayer
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks on the /api/v2/.../collections endpoint before any model repository or trust_remote_code parameter is processed.

prevent

Requires validation of all inputs (model repository URL and trust_remote_code flag) to block the malicious values that trigger arbitrary code execution.

prevent

Mandates identification and authentication of every user or client before the vulnerable collection-creation code path can be reached.

References