AN unpatched vulnerability in ChromaDB could allow remote, unauthenticated attackers to spawn a shell and take control of the server process, according to HiddenLayer. Tracked as CVE-2026-45829 and referred to as ChromaToast, the pre-authentication remote code execution flaw could be exploited to leak sensitive information the server has access to, including API keys, environment variables, mounted secrets, and all files on the disk.
The root cause, HiddenLayer says, is two independent failures that compound each other: the server trusts client-supplied model identifiers without restriction and acts on that trust before authenticating the user. An unauthenticated attacker can trigger the flaw by supplying a malicious HuggingFace model, providing shell access after the model is downloaded and executed but before authentication checks.
The vulnerability affects all ChromaDB iterations since version 1.0.0, with roughly 73% of internet-facing deployments affected, according to HiddenLayer. As of ChromaDB 1.5.8, SecurityWeek notes the issue has not been patched, and efforts to obtain a response from Chroma have so far been unsuccessful since February 17; Azraelxuemo reportedly reported the flaw in November 2025.