CRITICAL
Chroma
CVE published 2026-05-18
CVE-2026-45829
CVE-2026-45829 is a critical pre-authentication code injection issue affecting version 1.0.0 and later of the ChromaDB Python project. According to the published description, an unauthenticated attacker can send a malicious model repository to the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint and, when trust_remote_code is set to true, achieve arbitrary code execution on the server. NVD lis [truncated]