Share
## https://sploitus.com/exploit?id=2AC0361E-D453-5D1F-86AD-31D8C3A18188
# ๐จ CVE-2026-45829 - ChromaDB Pre-Auth RCE
**Critical Remote Code Execution in ChromaDB Vector Database**



---
## ๐ Overview
**CVE-2026-45829** is a **critical pre-authentication Remote Code Execution** vulnerability in **ChromaDB**, a popular open-source AI Vector Database.
An unauthenticated attacker can exploit the way ChromaDB handles embedding function configuration to achieve **full remote code execution** on the server.
### Key Information
| Item | Details |
|------------------------|----------------------------------------------|
| **CVE ID** | CVE-2026-45829 |
| **Severity** | Critical (CVSS 9.8) |
| **Affected Component** | Embedding Function Handler |
| **Attack Vector** | Unauthenticated HTTP Request |
| **Impact** | Remote Code Execution (RCE) |
| **Affected Versions** | ChromaDB โฅ 1.0.0 (including latest 1.5.x) |
---
## ๐งช How The Exploit Works
1. Attacker sends a crafted `POST` request to collection creation endpoint.
2. ChromaDB processes the `embedding_function` configuration **before** authentication.
3. `trust_remote_code=True` allows loading of malicious code.
4. Attacker can execute arbitrary Python code on the server via `model_name` field.
---
## ๐ฏ Expected Results (If Exploit Works)
```bash
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2026-45829 - ChromaDB RCE โ
โ Pre-Auth Remote Code Execution โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Attacking ChromaDB โ http://target:8000
[+] EXPLOIT SUCCESS!
[+] Command executed: whoami
[+] Check /tmp/chromapwned.txt on target
```
**After Success You Can:**
- Read `/etc/passwd`
- Get reverse shell
- Dump environment variables
- Install backdoors
---
## ๐ Mitigation
- **Update ChromaDB** immediately when patch is released.
- Do **NOT** expose ChromaDB directly to the internet.
- Disable `trust_remote_code` if possible.
- Use strong authentication + network segmentation.
---
## ๐ Shodan / FoFa Dorks
**FoFa:**
```bash
app="ChromaDB" || title="Chroma"
```
**Shodan:**
```bash
"ChromaDB" OR "Chroma HTTP Server" port:8000
```
---
## โ ๏ธ Legal Disclaimer
> This information and PoC are provided for **educational and authorized security testing** purposes only.
> Unauthorized scanning or exploitation of systems you do not own is illegal.
---
**Made with โค๏ธ for security researchers**