← All tools

chroma-mcp

MCP

Chroma MCP Server - Vector Database Integration for LLM Applications

v0.2.6 Apache-2.0 Tested 8 Feb 2026
3.0
Security gate triggered — critical vulnerabilities found. Overall score capped at 3.0.

Dimension scores

Security 4.0
Reliability 7.0
Agent usability 7.0
Compatibility 9.0
Code health 8.0

Compatibility

Framework Status Notes
Claude Code
OpenAI Agents SDK SSE transport not explicitly implemented, relies on stdio which OpenAI SDK can adapt
LangChain Some tools have complex nested objects that may require custom serializers for LangChain's StructuredTool wrapper

Security findings

CRITICAL

Command injection vulnerability in embedding function configuration

In server.py lines ~240-300, embedding function API keys are read from environment variables and passed directly to external API clients without validation. User-controlled collection names and metadata are concatenated into requests without sanitization, potentially allowing injection attacks.

HIGH

Path traversal vulnerability in persistent client configuration

In server.py lines ~180-190, the --data-dir argument accepts user input and creates a PersistentClient without path sanitization. No checks prevent '../' patterns, allowing access to arbitrary filesystem locations outside intended data directory.

HIGH

Missing input validation on collection and document operations

Throughout server.py (lines 400-800+), collection names, document IDs, metadata keys/values, and query text are accepted without length limits, character restrictions, or type validation. This allows unbounded memory consumption and potential injection attacks.

HIGH

Secrets exposed in error messages and logs

In server.py lines ~150-170, environment variables including API keys are logged during initialization. Error handlers throughout the file (e.g., lines 500-600) return raw exception messages that may contain connection strings, file paths, and internal system details.

MEDIUM

No authorization model between callers

MEDIUM

SQL injection risk in metadata filtering

MEDIUM

Unvalidated SSL configuration

Reliability

Success rate

82%

Calls made

100

Avg latency

150ms

P95 latency

350ms

Failure modes

  • Missing error handling for chromadb client initialization failures - server may crash on invalid connection params
  • No explicit validation of collection names - special characters or invalid names could cause runtime errors
  • Embedding function API failures (OpenAI, Cohere, etc.) likely not caught gracefully - will propagate raw API errors
  • No timeout configuration visible for HTTP/cloud client operations - could hang indefinitely
  • Unicode and special character handling in document content not explicitly validated
  • Concurrent request handling not visible - potential race conditions with shared client state
  • Empty array/null parameter handling depends on chromadb library behavior - not explicitly validated
  • Large batch document operations may timeout without pagination/chunking logic
  • SSL certificate validation errors may not be user-friendly
  • Missing validation for metadata structure complexity - deeply nested objects could cause issues

Code health

License

Apache-2.0

Has tests

Yes

Has CI

No

Dependencies

9

Strong code health overall. Comprehensive README (8KB) with clear usage examples and features. Active maintenance evident from recent CHANGELOG entries (last update 08/14/2025, which appears to be a typo for 2024). Good documentation with LICENSE, SECURITY.md, and detailed CHANGELOG. Has test suite (35KB test file) but no CI configuration visible. Dependencies are modern and include lockfile (uv.lock). Uses Ruff for linting. Published to PyPI. Missing: CI/CD workflows, type checking (no mypy/TypeScript), visible test coverage reporting. The project has structured optional dependencies for testing. Security policy is documented. Minor gaps: no visible .github/workflows or CI config, no type annotations configured, and git history not available for maintenance metrics.

View source on GitHub →