CVE-2026-45833
published 2026-06-12CVE-2026-45833: A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server…
PriorityP259high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.34%
26.1th percentile
A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} if they have the UPDATE_COLLECTION permission.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chroma | chromadb | 0.4.17 – * | — |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gaudi-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhelai3 | disk-image-cuda-rhel9 | — | — |
| rhoai | odh-autorag-rhel9 | — | — |
| trychroma | chromadb | 0.4.17 – 1.5.9 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP PATCH/PUT requests to the ChromaDB collections API endpoint containing 'trust_remote_code: true' in the request body, which is the trigger condition for arbitrary code execution. ↗
- →Alert on any ChromaDB API request that sets trust_remote_code to true alongside a model repository parameter, as this combination enables remote code execution from attacker-controlled HuggingFace model repositories. ↗
- →Restrict detection scope to authenticated sessions with UPDATE_COLLECTION permission; unauthenticated requests cannot reach the vulnerable code path. ↗
- →Scope detection to ChromaDB version 0.4.17 and later; earlier versions are not affected. ↗
- ·RHOAI and RHEL AI deployments are only reachable via this attack path if the Chroma FastAPI server is explicitly exposed to untrusted users; default architectures do not expose it. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.4CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository an
ghsa_unreviewed·2026-06-12
CVE-2026-45833 [CRITICAL] CWE-94 A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository an
A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} if they have the UPDATE_COLLECTION permission.
Red Hat
chromadb: ChromaDB: Arbitrary Code Execution via Code Injection
vendor_redhat·2026-06-12·CVSS 9.4
CVE-2026-45833 [CRITICAL] CWE-94 chromadb: ChromaDB: Arbitrary Code Execution via Code Injection
chromadb: ChromaDB: Arbitrary Code Execution via Code Injection
A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} if they have the UPDATE_COLLECTION permission.
A flaw was found in the ChromaDB Python project. An authenticated attacker with UPDATE_COLLECTION permission could exploit a code injection vulnerability. By sending a malicious model repository to a specific API endpoint with trust_remote_code enabled, the attacker can execute arbitrary code on the server. This could lead to a complete compromise of the affec
No detection rules found.
No public exploits indexed.
https://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-5https://access.redhat.com/security/cve/CVE-2026-45833https://bugzilla.redhat.com/show_bug.cgi?id=2488430https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45833.jsonhttps://www.hiddenlayer.com/sai-security-advisory/2026-06-chromadb-5
2026-06-12
Published