ChromaDB CVE-2026-45829, also called ChromaToast, can let an unauthenticated attacker take over a vulnerable ChromaDB Python FastAPI server if its HTTP API is reachable. HiddenLayer says the flaw exists because the server may load attacker-controlled embedding function settings before it performs the access check [1].
The key detail is timing. The vulnerable path can fetch and load a remote HuggingFace model as part of collection creation, then reject the request afterward. From the defender’s side the call may look failed; from the attacker’s side the model code has already run inside the server process.
Why this matters for exposed AI services
ChromaDB is widely used in AI applications for vector search and semantic matching. HiddenLayer says the issue was introduced in version 1.0.0 and remained unpatched as of 1.5.8, while its Shodan review found many internet-exposed instances in the affected version range. SecurityWeek separately reported that successful exploitation could expose environment variables, API keys, mounted secrets and files available to that process [2].
There is an important scope boundary. HiddenLayer says the Rust-based deployment path is not affected, while the Python FastAPI server path is the problem. Until a patch is available, the useful response is to move reachable deployments away from the vulnerable Python server where possible and restrict the ChromaDB port to trusted clients only.
Teams should not treat this as a generic AI bug. It is a server-side code-execution issue caused by loading untrusted model code before authentication is enforced. That same trust pattern has appeared in other developer and AI tooling incidents Gridinsoft covered recently, including the poisoned VS Code extension that exposed GitHub repositories and the Shai-Hulud npm supply-chain wave.
A GitHub issue opened before HiddenLayer’s publication describes related Python backend and client-side RCE behavior around embedding functions [3]. For incident triage, the priority is simple: find exposed ChromaDB HTTP endpoints, identify whether they use the Python server, then review secrets available to the process if suspicious requests touched collection-creation routes.
Another recent AI tooling case shows the same operational lesson from a different angle: once an AI workflow layer is exposed, the risk quickly moves from the app itself to the secrets and data it can reach. See our coverage of Langflow CVE-2025-34291 and token hijack RCE.
References
- HiddenLayer, “ChromaToast Served Pre-Auth,” May 2026. Report
- SecurityWeek, “Unpatched ChromaDB Vulnerability Can Lead to Server Takeover,” May 19, 2026. Coverage
- chroma-core/chroma GitHub issue #6717, “Python Backend Server Side RCE & Python Client SDK RCE,” 2026. Issue
If you self-host AI application infrastructure, add Flowise to the same review list: CVE-2026-40933 in Flowise can turn a malicious chatflow import into server-side command execution.
