CVE-2026-45829 (ChromaToast): Pre-Authentication Remote Code Execution in ChromaDB Python FastAPI Server via Malicious HuggingFace Model Loading

ChromaDB's Python FastAPI server initialises embedding function configuration — including model loading from HuggingFace — before performing authentication checks. An unauthenticated attacker sends a single crafted POST request to /api/v2/tenants/{tenant}/databases/{db}/collections pointing to an attacker-controlled HuggingFace repository with trust_remote_code: true. The server downloads and executes the malicious Python module before the authentication check runs; the attacker's code executes and the server then returns a 403 Forbidden, meaning standard log-based detection will show only a 'blocked' request while the payload has already run. CWE-94 (Code Injection). CVSS 4.0 score: 10.0.

Unauthenticated HTTP POST to the collections endpoint containing a collection creation request with an attacker-controlled HuggingFace model name and trust_remote_code: true in the embedding function configuration. No credentials required. Single request achieves code execution on the server process.

ChromaDB Python FastAPI server, versions 1.0.0 through 1.5.8 (current). Approximately 73% of internet-accessible ChromaDB deployments are vulnerable per Shodan scan by HiddenLayer. The Rust frontend (chroma run, Docker Hub images since v1.0.0) is NOT affected. ChromaDB has ~13 million monthly pip downloads and is used in RAG pipelines by Mintlify, Factory AI, and Weights & Biases.

No patch available as of ChromaDB 1.5.8/1.5.9. Immediately restrict network access to the ChromaDB Python FastAPI server port to trusted clients only — no direct internet exposure. Switch to the Rust-based deployment path (chroma run or Docker Hub images) if operationally feasible. For detection, monitor outbound connections from the ChromaDB process to huggingface.co or other model registries, unexpected process spawning from chromadb service accounts, and new file creation by the database process. Full code remediation requires moving authentication before configuration loading and stripping 'kwargs' keys from requests in both V1 and V2 create_collection handlers.