Max-severity flaw in ChromaDB for AI apps allows server hijacking

A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers.

The flaw is tracked as CVE-2026-45829 and was reported to ChromaDB on February 17. It received the maximum severity score from HiddenLayer, the company that discovered it.

ChromaDB is an open-source vector database and AI retrieval backend used in agentic AI and related applications. It enables retrieving semantically relevant documents during large-language model (LLM) inference.

The flaw affects the codebase containing the vulnerable Python API server logic, so the PyPI package, which has nearly 14 million monthly downloads, is at risk when servers are accessible over HTTP.

Users who deploy it locally without exposing the API server online along with those using the Rust front-end, are not affected by CVE-2026-45829.

Max-severity flaw in ChromaDB for AI apps allows server hijacking

Other newsrooms on this story

Related reading

Unpatched ChromaDB Vulnerability Can Lead to Server Takeover

Other newsrooms on this story

Related reading

Unpatched ChromaDB Vulnerability Can Lead to Server Takeover

AI coding agents breached: attackers targeted credentials, not models |…

Anthropic’s MCP vulnerability: When ‘expected behavior’ becomes a supply chain…

Linux cryptographic code flaw offers fast route to root

'Claw Chain' Vulnerabilities Threaten OpenClaw Deployments

PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure