Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

CVE-2026-45829 is an unauthenticated pre-authentication RCE in ChromaDB’s Python FastAPI server (versions 1.0.0-1.5.8) that allows any attacker with network access to force the server to load and execute a malicious model from Hugging Face before any authentication check occurs. No vendor patch exists as of 2026-03-04. Organizations using ChromaDB in AI pipelines or vector search infrastructure should treat exposed instances as critically vulnerable until network isolation is confirmed and a patch is available.

Author

Tech Jacks Solutions