An unpatched flaw in ChromaDB, tracked as CVE-2026-45829 and dubbed ChromaToast, can let unauthenticated attackers execute code remotely and gain shell access before authentication checks run. Successful exploitation could expose API keys, environment variables, mounted secrets, and other sensitive files on affected systems. #ChromaDB #CVE-2026-45829 #ChromaToast #HuggingFace
Keypoints
- CVE-2026-45829 affects ChromaDB and enables pre-authentication remote code execution.
- Attackers can trigger the flaw by supplying a malicious HuggingFace model.
- The bug can give full control of the server process and access to sensitive data.
- HiddenLayer says all ChromaDB versions since 1.0.0 are affected.
- Restricting ChromaDB network access to trusted clients is a temporary mitigation.
Read More: https://www.securityweek.com/unpatched-chromadb-vulnerability-can-lead-to-server-takeover/