A maximum-severity vulnerability in ChromaDB — the open-source vector database at the core of many agentic AI applications — allows attackers to force servers to load and execute malicious machine-learning models before authentication checks complete, and researchers found that approximately 73% of internet-exposed ChromaDB instances are running a vulnerable version at the time of disclosure.
CVE-2026-45829: Pre-Auth Model Execution Before Authentication Fires
The attack exploits a timing flaw in ChromaDB’s request handling. An attacker sends a crafted request to an authenticated API endpoint. The server begins processing that request — fetching and executing the attacker-specified model payload from Hugging Face — before its authentication check runs. By the time the server returns an HTTP 500 error rejecting the unauthenticated request, the malicious model has already executed on the server. Authentication rejection arrives after the damage is done.
ChromaDB functions as the retrieval backend in agentic AI systems, connecting directly to the document stores and embedding repositories that feed LLM inference pipelines. A hijacked ChromaDB instance gives an attacker arbitrary code execution on the server hosting the database, along with access to the sensitive document collections stored within it.
Disclosure Timeline and the Maintainer’s Non-Response
The vulnerability was introduced in ChromaDB version 1.0.0 and persisted through version 1.5.8. HiddenLayer, the research team that discovered and reported the flaw, first contacted the maintainer on February 17, 2026. Version 1.5.9 was released approximately two weeks before the public disclosure, but the maintainer had not confirmed patch status or acknowledged the disclosure in any form before HiddenLayer published. Public disclosure proceeded after the response window elapsed without communication.
Shodan Analysis: 73% of Exposed Instances Still on Vulnerable Versions
Researchers conducted a Shodan analysis at the time of disclosure and found that approximately 73% of internet-exposed ChromaDB instances are running versions vulnerable to CVE-2026-45829. ChromaDB records approximately 14 million monthly downloads from PyPI, reflecting widespread deployment across AI development pipelines, LLM inference systems, and production agentic AI applications. The gap between the volume of deployments and the patch rate creates a large, accessible attack surface.
Why AI Infrastructure Components Are a Growing Target
ChromaDB occupies a privileged position inside the AI application stack: it stores the embeddings and document corpora that inform LLM outputs, and it sits adjacent to sensitive enterprise data that organizations have fed into retrieval-augmented generation pipelines. Despite this access level, AI infrastructure components have not historically received the same security scrutiny applied to databases storing financial records or healthcare data. A pre-authentication remote code execution flaw in a component with 14 million monthly downloads indicates that the attack surface presented by AI infrastructure has outpaced the security review process applied to it.
What Server Hijacking Means for Connected LLM Pipelines
Code execution on a ChromaDB server gives an attacker a position inside the AI application’s data access layer. From that position, they can read embedded documents stored in the vector database, manipulate the retrieval results being fed to connected language models, or use the server as a pivot point into surrounding infrastructure. Applications relying on ChromaDB for retrieval-augmented generation face the possibility that a compromised, unpatched instance corrupts the factual grounding of the AI system’s outputs — or exposes the entire document corpus being used to ground those outputs.
Organizations running ChromaDB should verify whether their deployments are on version 1.5.9 or later and confirm whether their instances are publicly reachable. Deployments that do not require public internet access should be placed behind network controls that restrict access to authorized internal systems only.
