Unpatched ChromaDB Vulnerability Can Lead to Server Takeover
The security defect can be exploited remotely, without authentication, to execute arbitrary code and leak sensitive information. The post Unpatched ChromaDB Vulnerability Can Lead to Server Takeover appeared first on SecurityWeek.
An unpatched vulnerability in ChromaDB could allow remote, unauthenticated attackers to spawn a shell and take control of the server process, HiddenLayer reports.
ChromaDB is an open source vector database for building AI applications. It has approximately 13 million monthly pip downloads and is used by high-profile organizations, including Mintlify, Factory AI, and Weights & Biases.
Tracked as CVE-2026-45829 and referred to as ChromaToast, the pre-authentication remote code execution (RCE) flaw could be exploited to leak sensitive information the server has access to, including API keys, environment variables, mounted secrets, and all files on the disk, according to HiddenLayer.
Source: https://www.securityweek.com/unpatched-chromadb-vulnerability-can-lead-to-server-takeover/
Related breach coverage
- Drupal Patches Highly Critical Vulnerability Exposing Websites to Hacking2026-05-21
CVE-2026-9082 can be exploited without authentication for information disclosure, privilege escalation, and remote code execution. The post Drupal Patches Highly Critical Vulnerability Exposing Websites to Hacking appeared first on SecurityWeek.
- PoC Code Published for Critical NGINX Vulnerability2026-05-16
Introduced in 2008, the critical-severity security defect was patched this week in NGINX Plus and NGINX open source. The post PoC Code Published for Critical NGINX Vulnerability appeared first on SecurityWeek.
- Fortinet, Ivanti Patch Critical Vulnerabilities2026-05-13
Successful exploitation of these flaws could lead to arbitrary code execution and information disclosure. The post Fortinet, Ivanti Patch Critical Vulnerabilities appeared first on SecurityWeek.
- ‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains2026-05-23
The stealthy vulnerability impacts roughly 88 million domains and can be exploited to bypass DNS filtering and hide command-and-control traffic. The post ‘Underminr’ Vulnerability Lets Attackers Hide Malicious Connections Behind Trusted Domains appeared first on SecurityWeek.