0xBlackash/CVE-2026-45829

## 📌 Overview **CVE-2026-45829** is a **critical pre-authentication Remote Code Execution** vulnerability in **ChromaDB**, a popular open-source AI Vector Database. An unauthenticated attacker can exploit the way ChromaDB handles embedding function configuration to achieve **full remote code execution** on the server. ### Key Information | Item | Details | |------------------------|----------------------------------------------| | **CVE ID** | CVE-2026-45829 | | **Severity** | Critical (CVSS 9.8) | | **Affected Component** | Embedding Function Handler | | **Attack Vector** | Unauthenticated HTTP Request | | **Impact** | Remote Code Execution (RCE) | | **Affected Versions** | ChromaDB ≥ 1.0.0 (including latest 1.5.x) | ## 🧪 How The Exploit Works 1. Attacker sends a crafted `POST` request to collection creation endpoint. 2. ChromaDB processes the `embedding_function` configuration **before** authentication. 3. `trust_remote_code=True` allows loading of malicious code. 4. Attacker can execute arbitrary Python code on the server via `model_name` field. ## 🎯 Expected Results (If Exploit Works) ╔══════════════════════════════════════════════════════════════╗ ║ CVE-2026-45829 - ChromaDB RCE ║ ║ Pre-Auth Remote Code Execution ║ ╚══════════════════════════════════════════════════════════════╝ [*] Attacking ChromaDB → http://target:8000 [+] EXPLOIT SUCCESS! [+] Command executed: whoami [+] Check /tmp/chromapwned.txt on target **After Success You Can:** - Read `/etc/passwd` - Get reverse shell - Dump environment variables - Install backdoors ## 🛠 Mitigation - **Update ChromaDB** immediately when patch is released. - Do **NOT** expose ChromaDB directly to the internet. - Disable `trust_remote_code` if possible. - Use strong authentication + network segmentation. ## 🔍 Shodan / FoFa Dorks **FoFa:** app="ChromaDB" || title="Chroma" **Shodan:** "ChromaDB" OR "Chroma HTTP Server" port:8000 ## ⚠️ Legal Disclaimer **Made with ❤️ for security researchers**