Max-severity flaw in ChromaDB for AI apps allows server hijacking
A critical vulnerability in ChromaDB allows unauthorized users to execute arbitrary code on exposed servers. The flaw, tracked as CVE-2026-45829, affects the Python FastAPI version of the open-source vector database. Users are advised to restrict access to the API or use the Rust frontend to mitigate the risk until a patch is confirmed.
- ▪The vulnerability was reported on February 17 and has a maximum severity score.
- ▪Approximately 73% of internet-exposed instances of ChromaDB are running a vulnerable version.
- ▪The flaw allows attackers to load and execute malicious models before authentication checks are performed.
Opening excerpt (first ~120 words) tap to expand
Max-severity flaw in ChromaDB for AI apps allows server hijacking By Bill Toulas May 19, 2026 06:25 PM 0 A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers. The flaw is tracked as CVE-2026-45829 and was reported to ChromaDB on February 17. It received the maximum severity score from HiddenLayer, the company that discovered it. ChromaDB is an open-source vector database and AI retrieval backend used in agentic AI and related applications. It enables retrieving semantically relevant documents during large-language model (LLM) inference.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at BleepingComputer.
Discussion
0 commentsMore from BleepingComputer
