Unpatched ChromaDB flaw leaves servers open to remote code execution
Summary
A critical vulnerability, CVE-2026-45829, has been disclosed in ChromaDB, a popular vector database for AI applications. The flaw allows unauthenticated attackers to execute arbitrary code and access sensitive data by exploiting a race condition in the API server. Despite multiple attempts to report the issue, ChromaDB developers have not responded, leading to public disclosure by researchers.
IFF Assessment
This vulnerability allows unauthenticated remote code execution and data access, posing a significant risk to systems utilizing ChromaDB for AI applications.
Severity
The vulnerability allows for unauthenticated remote code execution and data access on affected servers, indicating a high severity score. The exploitability is high due to the race condition and the ability to send requests to load malicious configurations.
Defender Context
Defenders should be aware of this critical vulnerability in ChromaDB, especially if it's used in their AI infrastructure for RAG workflows. Organizations should prioritize restricting network access to ChromaDB ports and consider migrating to the unaffected Rust implementation or awaiting a patch to mitigate the risk of unauthorized code execution and data exfiltration.