Share
## https://sploitus.com/exploit?id=2AC0361E-D453-5D1F-86AD-31D8C3A18188
# ๐Ÿšจ CVE-2026-45829 - ChromaDB Pre-Auth RCE



**Critical Remote Code Execution in ChromaDB Vector Database**

![Critical](https://img.shields.io/badge/Severity-Critical-red?style=for-the-badge)
![RCE](https://img.shields.io/badge/Exploit-RCE-blue?style=for-the-badge)
![Unauthenticated](https://img.shields.io/badge/Access-Unauthenticated-red?style=for-the-badge)



---

## ๐Ÿ“Œ Overview

**CVE-2026-45829** is a **critical pre-authentication Remote Code Execution** vulnerability in **ChromaDB**, a popular open-source AI Vector Database.

An unauthenticated attacker can exploit the way ChromaDB handles embedding function configuration to achieve **full remote code execution** on the server.

### Key Information

| Item                    | Details                                      |
|------------------------|----------------------------------------------|
| **CVE ID**             | CVE-2026-45829                               |
| **Severity**           | Critical (CVSS 9.8)                          |
| **Affected Component** | Embedding Function Handler                   |
| **Attack Vector**      | Unauthenticated HTTP Request                 |
| **Impact**             | Remote Code Execution (RCE)                  |
| **Affected Versions**  | ChromaDB โ‰ฅ 1.0.0 (including latest 1.5.x)   |

---

## ๐Ÿงช How The Exploit Works

1. Attacker sends a crafted `POST` request to collection creation endpoint.
2. ChromaDB processes the `embedding_function` configuration **before** authentication.
3. `trust_remote_code=True` allows loading of malicious code.
4. Attacker can execute arbitrary Python code on the server via `model_name` field.

---

## ๐ŸŽฏ Expected Results (If Exploit Works)

```bash
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘                 CVE-2026-45829 - ChromaDB RCE                โ•‘
โ•‘                Pre-Auth Remote Code Execution                โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

[*] Attacking ChromaDB โ†’ http://target:8000

[+] EXPLOIT SUCCESS!
[+] Command executed: whoami
[+] Check /tmp/chromapwned.txt on target
```

**After Success You Can:**
- Read `/etc/passwd`
- Get reverse shell
- Dump environment variables
- Install backdoors

---

## ๐Ÿ›  Mitigation

- **Update ChromaDB** immediately when patch is released.
- Do **NOT** expose ChromaDB directly to the internet.
- Disable `trust_remote_code` if possible.
- Use strong authentication + network segmentation.

---

## ๐Ÿ” Shodan / FoFa Dorks

**FoFa:**
```bash
app="ChromaDB" || title="Chroma"
```

**Shodan:**
```bash
"ChromaDB" OR "Chroma HTTP Server" port:8000
```

---

## โš ๏ธ Legal Disclaimer

> This information and PoC are provided for **educational and authorized security testing** purposes only.  
> Unauthorized scanning or exploitation of systems you do not own is illegal.

---

**Made with โค๏ธ for security researchers**