CVE-2026-45829
A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attack
CVSS
10.0
Crítico
EPSS
12.4%
p96
KEV
—
Exploit Today
29
0-100
Publicado: 18 may 2026 · Última mod.: 15 jul 2026 · CWE-94 · CWE-502
10.3%EPSS · 30 días12.4%
2026-06-302026-07-16
A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.
- github.comhttps://github.com/chroma-core/chroma/issues/6717
- www.hiddenlayer.comhttps://www.hiddenlayer.com/research/chromatoast-served-pre-auth
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-45829
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2479623
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45829.json
- www.hiddenlayer.comhttps://www.hiddenlayer.com/research/chromatoast-served-pre-auth
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2025-32489.8 CRÍ100.0%
KEV—80Langflow Missing Authentication Vulnerability2dCVE-2021-422379.8 CRÍ99.9%
KEV—80Sitecore XP Remote Command Execution Vulnerability7dCVE-2026-341978.8 ALT99.9%
KEV—80Apache ActiveMQ Improper Input Validation Vulnerability2dCVE-2026-456598.8 ALT86.8%
KEV—76Microsoft SharePoint Server Deserialization of Untrusted Data Vulnerability15dCVE-2026-154107.2 ALT71.1%
KEV—71SonicWall SMA1000 Appliances Code Injection Vulnerability20hCVE-2026-125699.8 CRÍ66.0%
KEV—70PTC Windchill and FlexPLM Improper Input Validation Vulnerability16d