Overview of the Vulnerability
ChromaDB versions 1.0.0 through 1.5.8 have a critical vulnerability allowing unauthenticated remote code execution. The flaw, tracked as CVE-2026-45829, exploits a race condition between embedding model parsing and authentication checks. An attacker can direct ChromaDB to a malicious model hosted on a platform like Hugging Face, leading the server to execute arbitrary code before verifying the request's legitimacy.
HiddenLayer discovered and disclosed the vulnerability. At the time of disclosure, over 73% of publicly accessible ChromaDB instances were running vulnerable versions, and no patch exists for the Python implementation.
Timeline of Events
The timeline highlights a failure in responsible disclosure:
- HiddenLayer discovered the vulnerability and attempted to contact ChromaDB developers.
- Communication failed, and the disclosure process did not reach the right people.
- HiddenLayer proceeded with public disclosure.
- Organizations using ChromaDB learned about the vulnerability from public channels, not the maintainers.
- At the time of disclosure, no patch was available for the Python implementation.
This isn't a case of a quickly patched zero-day. It's a situation where the vendor was unaware of a critical vulnerability until public disclosure.
Failed or Missing Controls
Authentication Timing: ChromaDB loads embedding models before checking authentication, allowing execution of malicious code during parsing.
Input Validation: The application accepts external model references without validating the source, allowing attacker-controlled URLs to become executable code.
Secure Defaults: ChromaDB instances are often deployed with network exposure and no transport layer authentication. Application-level authentication can be bypassed via the race condition.
Dependency Trust Boundaries: The vulnerability assumes external embedding models are safe to parse, lacking sandboxing, signature verification, or a trust model for runtime dependencies.
Vendor Communication: The maintainers lacked an effective security contact method, an operational control failure.
Relevant Standards and Requirements
OWASP ASVS v4.0.3, Requirement 5.1.1: Validate and sanitize all external inputs, including model URLs, before processing.
OWASP ASVS v4.0.3, Requirement 1.4.2: Log authentication decisions without storing sensitive data. The race condition logs decisions after malicious code execution, highlighting the importance of order.
PCI DSS v4.0.1, Requirement 6.2.4: Secure development of bespoke software includes preventing injection flaws by validating input.
NIST 800-53 Rev 5, SI-10: Validate information inputs for accuracy and completeness before processing. ChromaDB processes first, validates second.
ISO 27001, Annex A.8.22: Segregate information services and systems on networks. Internet-accessible ChromaDB instances without segmentation fail this control.
Action Items for Your Team
Immediate Actions for ChromaDB Users:
Switch to the Rust Implementation: The Rust version is not vulnerable. Migrate if possible.
Remove Internet Accessibility: Ensure ChromaDB is behind a VPN or only accessible from your application tier.
Implement Network-Level Authentication: Use mutual TLS, IP allowlisting, or a service mesh to enforce authentication before traffic reaches ChromaDB.
Audit Embedding Model Sources: Know which sources your application trusts and create an allowlist.
Broader Program Changes:
Fix Vendor Contact Process: Establish a monitored security contact and policy. Test quarterly to ensure responsiveness.
Reorder Authentication Checks: Ensure authentication occurs before processing attacker-controlled input.
Build a Trust Model for Runtime Dependencies: Implement signature verification and source validation for external dependencies.
Create an Open-Source Dependency Response Plan: Monitor security mailing lists and CVE feeds. Use tools like Dependabot or Snyk for alerts.
This incident underscores that authentication is a control flow issue, not just a credential issue. The timing of your authentication checks is as critical as their existence.
