Summary
ChromaDB faces an unpatched pre-authentication remote code execution vulnerability (CVE-2026-45829) that allows attackers to take over servers by supplying malicious HuggingFace models. The flaw affects the Python FastAPI implementation and enables unauthorized access to sensitive API keys, secrets, and internal files.
Take Action:
If you use ChromaDB, immediately verify if you are running the Python-based server and isolate it from the public internet. Prioritize migrating to the Rust-based deployment path, since the vendor has not yet patched this flaw.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)