External risk intelligence

ChromaDB Python Code Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-45833

A code injection vulnerability in ChromaDB allows an authenticated attacker with specific permissions to execute arbitrary code on the server by sending a malicious model repository. This could impact server integrity and availability.

4Halo Surface Signal

Code Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-45833

The vulnerability resides in an API endpoint of a database service commonly used to power web applications and backend services. Since these deployments frequently expose their API surfaces to the network to facilitate integration and data access, the vulnerable functionality is often reachable in typical real-world infrastructure.

PCI scan relevance

PCI Relevance for CVE-2026-45833

Yes

CVE-2026-45833 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability in ChromaDB allows authenticated users to execute arbitrary code on the server, which is a common cause of PCI ASV scan failures.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A code injection vulnerability has been identified in the ChromaDB Python project, impacting its database collections. This issue could allow an authenticated user with specific permissions to execute arbitrary code on the server by submitting a malicious model repository. The main concern is to confirm if your environment uses this technology and is potentially exposed.

  • Attackers can run code by sending bad data.
  • Important for any system using this database.
  • Confirm usage and potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker with update permissions can reach this vulnerability by sending a malicious model repository to the ChromaDB API. If the `trust_remote_code` option is enabled, this could lead to arbitrary code execution on the server.

  • Requires UPDATE_COLLECTION permission.
  • Triggered by sending a malicious model repository.
  • Allows arbitrary code execution on the server.

Live Threat

Current exploitation, exposure, and threat context

A critical code injection vulnerability in ChromaDB could allow an authenticated attacker with specific permissions to execute arbitrary code on the server. This could occur when a malicious model repository is provided, and the `trust_remote_code` setting is enabled, potentially impacting the integrity and availability of the server.

  • Server-side code execution.
  • Authenticated attacker sends malicious model.
  • Compromised server, potential data loss.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability resides in an API endpoint of a database service, suggesting that platform or application teams are likely responsible for its management and remediation. The first practical step is to identify all instances of the affected technology, assess their network reachability and business criticality, and then confirm the accountable owner before planning remediation.

  • Platform and application owners should address.
  • Verify remote code execution exposure.
  • Plan remediation based on identified risk.

Frequently asked questions

What is ChromaDB and how is it used?

ChromaDB is a Python-based database designed for managing embeddings, which are essential for powering modern artificial intelligence and machine learning applications. It allows developers to store, index, and query vector data. By enabling efficient similarity searches, it serves as a critical backend component for systems like retrieval-augmented generation (RAG) pipelines, where applications need to quickly retrieve relevant context from large datasets to inform AI model responses.

What does CWE-94 mean for CVE-2026-45833?

CWE-94 refers to improper control of generation of code, commonly known as code injection. In the context of this CVE, it means the software does not sufficiently validate or restrict the input it receives before using that input to execute functions. Because the system is designed to handle model repositories, it can be tricked into interpreting malicious data as executable instructions, giving an attacker the ability to run arbitrary commands on the underlying server.

How is this ChromaDB vulnerability triggered?

An attacker triggers this flaw by interacting with a specific API endpoint responsible for managing database collections. They must have UPDATE_COLLECTION permissions and provide a malicious model repository. Crucially, the vulnerability only executes the attacker's code if the 'trust_remote_code' configuration option is set to true. If this setting is disabled or not utilized, the specific path for arbitrary code execution described in this threat is not engaged.

Is my ChromaDB instance at risk?

According to Halo Surface Signal, this vulnerability is classified as likely to be reachable in real-world environments. Because ChromaDB is frequently deployed as a database service powering web applications, its API surface is often exposed to the network to support integration needs. If your instance is accessible over a network and allows authenticated users to submit model repositories with the 'trust_remote_code' option enabled, it is considered a potential area of concern.

Do I need to take action if I use ChromaDB?

Yes. Start by creating an inventory of all systems in your environment that use the affected ChromaDB versions (0.4.17 or later). Work with your platform or application teams to determine if the vulnerable API endpoints are network-accessible and to identify who is responsible for the configuration. Assess the business criticality of these services to prioritize your response, and verify whether the 'trust_remote_code' setting is currently enabled in your implementation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished