Description
A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} if they have the UPDATE_COLLECTION permission.
Published: 2026-06-12
Score: 9.4 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A code injection flaw in ChromaDB version 0.4.17 and newer allows an authenticated attacker with the UPDATE_COLLECTION permission to execute arbitrary code on the server. By sending a malicious model repository and setting trust_remote_code to true in the /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} endpoint, the attacker can cause the server to run injected code, leading to compromise of confidentiality, integrity, and availability of the affected system.

Affected Systems

The vulnerability affects the ChromaDB product from Chroma. All releases equal to or greater than 0.4.17 are susceptible, and the issue manifests only when the authenticated user is granted UPDATE_COLLECTION rights.

Risk and Exploitability

The CVSS score of 9.4 indicates a critical severity. Although no EPSS value is available, the lack of an EPSS score does not reduce the risk under the high-degree of internal or credential‑based exploitation. The vulnerability can be leveraged by any user with UPDATE_COLLECTION permissions, and as such, it is suitable for exploitation by malicious insiders or compromised accounts. The vulnerability is not listed in the CISA KEV catalog, but the high CVSS and the potential for arbitrary code execution warrant urgent mitigation.

Generated by OpenCVE AI on June 12, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update ChromaDB to the latest patched version that addresses the trust_remote_code code injection flaw
  • Disable the trust_remote_code feature for all model uploads or restrict it to only trusted repositories
  • Limit UPDATE_COLLECTION permissions to a minimal set of vetted administrators
  • Apply any additional vendor‑issued workarounds that prevent code execution through the vulnerable API

Generated by OpenCVE AI on June 12, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Code Execution via Trust-Remote-Code in ChromaDB 0.4.17+
First Time appeared Chroma
Chroma chromadb
Vendors & Products Chroma
Chroma chromadb

Fri, 12 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} if they have the UPDATE_COLLECTION permission.
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Chroma Chromadb
cve-icon MITRE

Status: PUBLISHED

Assigner: HiddenLayer

Published:

Updated: 2026-06-12T15:57:23.411Z

Reserved: 2026-05-13T14:01:39.604Z

Link: CVE-2026-45833

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-12T16:16:29.070

Modified: 2026-06-12T17:16:23.473

Link: CVE-2026-45833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T16:30:14Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')