Researchers at HiddenLayer have disclosed a critical flaw in ChromaDB that allows attackers to execute malicious AI models before authentication, exposing growing open-source AI supply-chain risks.
A critical vulnerability in ChromaDB is exposing publicly accessible servers to unauthenticated remote code execution (RCE), raising fresh concerns around security practices in open-source AI infrastructure.
Tracked as CVE-2026-45829 and nicknamed “ChromaToast,” the flaw affects ChromaDB versions 1.0.0 to 1.5.8. Researchers at HiddenLayer disclosed the issue after reportedly receiving no response from ChromaDB developers despite multiple disclosure attempts since February.
The vulnerability stems from a race condition between ChromaDB’s model-loading process and its authentication validation logic. Attackers can send requests forcing the server to fetch and execute malicious embedding models hosted on Hugging Face before authentication checks occur.
“The authentication is not missing, it’s just in the wrong place,” HiddenLayer researchers said. “By the time it fires, the model has already been fetched and executed.”
The exploit abuses the trust_remote_code: true parameter, enabling execution of arbitrary Python modules shipped with AI models. Successful exploitation can provide attackers with shell access, API keys, mounted secrets, environment variables, and locally stored vector data.
According to HiddenLayer, over 73% of internet-exposed ChromaDB instances indexed by Shodan remain vulnerable.
Researchers advised organisations to use ChromaDB’s Rust implementation instead of the Python FastAPI server and restrict access to trusted IP addresses until a patch becomes available.
HiddenLayer warned that the incident reflects a broader AI supply-chain problem: “A model is not passive data. It is code.”
