Max-Severity Flaw in ChromaDB for AI Apps Allows Server Hijacking

ChromaDB has become a cornerstone for vector‑search workloads, powering retrieval‑augmented generation in many enterprise LLM pipelines. Its open‑source Python FastAPI server offers a convenient HTTP interface, but that convenience also expands the attack surface. By embedding model settings before the authentication check, the server inadvertently executes code fetched from external repositories, a classic supply‑chain weakness that can be weaponized at scale. The discovery underscores how quickly a seemingly benign feature can evolve into a critical security flaw when authentication logic is misplaced.

The CVE‑2026‑45829 vulnerability was introduced in ChromaDB 1.0.0 and persisted through 1.5.8, affecting a package that sees roughly 14 million downloads each month. HiddenLayer’s research shows that about three‑quarters of publicly reachable instances are still running vulnerable versions, creating a large, low‑hanging fruit for attackers. Exploitation requires only a crafted HTTP request that forces the server to pull a malicious model from Hugging Face, after which the payload runs before the server returns a 500 error. Mitigation guidance emphasizes using the Rust front‑end, restricting network exposure, and scanning model artifacts for unsafe code.

The incident highlights a broader trend: AI‑centric services are increasingly becoming high‑value targets, and supply‑chain attacks are gaining traction. Organizations deploying vector databases must adopt zero‑trust networking, enforce strict API authentication, and keep dependencies up to date. Moreover, the community should prioritize security reviews of model‑loading mechanisms, especially when third‑party code execution is involved. As AI workloads continue to proliferate, proactive hardening of foundational components like ChromaDB will be essential to safeguard both intellectual property and operational continuity.