CVE-2026-45829 is an unauthenticated pre-authentication RCE in ChromaDB’s Python FastAPI server (versions 1.0.0-1.5.8) that allows any attacker with network access to force the server to load and execute a malicious model from Hugging Face before any authentication check occurs. No vendor patch exists as of 2026-03-04. Organizations using ChromaDB in AI pipelines or vector search infrastructure should treat exposed instances as critically vulnerable until network isolation is confirmed and a patch is available.