{"data":{"id":"5814dbb2-6f1b-43d8-9109-49e3e23ed2fb","title":"Unpatched ChromaDB flaw leaves servers open to remote code execution","summary":"ChromaDB, a popular vector database used in AI applications, has a critical vulnerability (CVE-2026-45829) that allows unauthenticated attackers to run arbitrary code on servers. The flaw exists because ChromaDB checks authentication after it has already downloaded and executed a malicious model from Hugging Face, meaning attackers can trick the system into running their code by uploading a malicious model and requesting ChromaDB to use it.","solution":"Until a patch becomes available, researchers advise: (1) deploy ChromaDB using the Rust implementation instead of the Python FastAPI server, as the Rust version is not affected, and (2) restrict network access to the ChromaDB port to trusted IP addresses only.","labels":["security"],"sourceUrl":"https://www.csoonline.com/article/4175958/unpatched-chromadb-flaw-leaves-servers-open-to-remote-code-execution.html","publishedAt":"2026-05-21T21:29:13.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"critical","attackType":["supply_chain","data_extraction"],"issueType":"news","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["ChromaDB","HuggingFace","HiddenLayer"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-05-21T21:29:13.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"rag","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}