The ChromaDB CVE-2026-45829 CVSS 10.0 pre-authentication RCE is a specific, fixable vulnerability in one product. The architectural problem it reveals is broader and more persistent.
Retrieval-augmented generation (RAG) pipelines β the most common enterprise pattern for deploying LLMs against organisation-specific data β consist of several components: an embedding model, a vector database storing document embeddings, an orchestration layer, and an LLM inference endpoint. The vector database is architecturally equivalent to a structured database containing all the sensitive documents that have been embedded into the AI system.
In most enterprise deployments, the relational and NoSQL databases holding sensitive data are protected by network segmentation, authentication enforcement, audit logging, backup integrity monitoring, and regular security testing. Vector databases are being deployed without most of these controls β not because architects decided the risk is acceptable, but because the security posture question was not asked when the RAG pipeline was built.
The Architecture of an Exposed RAG Pipeline
A typical under-secured enterprise RAG deployment looks like this:
Embedding pipeline: A Python process running with broad filesystem access reads documents from network shares, SharePoint, or S3, generates embeddings using a model (often local or HuggingFace-hosted), and writes embeddings to the vector database. This process typically runs with the credentials of the service account that has read access to the document sources.
Vector database: ChromaDB, Pinecone (self-hosted), Weaviate, Qdrant, or similar. Often deployed in a Docker container on a development server or cloud VM, accessible on the default port, with authentication either disabled or using a default credential. Network access controls may be limited to cloud security group rules that were configured during initial setup and not subsequently reviewed.
Query service: An API or application that accepts queries, generates a query embedding, retrieves the most similar document embeddings from the vector database, and sends the retrieved documents plus the query to the LLM inference endpoint for response generation.
LLM inference endpoint: Either a cloud API (OpenAI, Anthropic, Azure OpenAI) or a local inference server. Cloud APIs use API keys; local inference servers often have minimal authentication.
The data in the vector database is the materialised content of every document embedded into the system β the same sensitive information that the pipeline was built to make accessible to the LLM. An attacker with access to the vector database has access to all of that information in a format that is relatively easy to extract: vector databases typically provide simple REST or gRPC APIs for querying and bulk export.
Security Architecture for RAG Pipelines
Authentication on the vector database: All production vector database deployments should require authentication. ChromaDB 1.x introduced token-based authentication; most other vector database products have similar mechanisms. Default-open authentication should be treated as a misconfiguration, not a configuration option.
Network isolation: Vector databases should be accessible only from the specific components that need them β the embedding pipeline (write access) and the query service (read access). They should not be accessible from developer workstations, CI/CD infrastructure, or the internet. Cloud security groups should be specific: source: query-service-security-group, port: 8000 rather than source: 0.0.0.0/0.
Separate credentials for embedding and query: The embedding pipeline needs write access (to store embeddings). The query service needs only read access (to retrieve embeddings). Using separate credentials with distinct permissions limits the blast radius of a compromise in either component.
Audit logging: Vector database access should be logged with sufficient detail to identify unusual access patterns β bulk exports, queries from unexpected sources, or high-frequency queries that may indicate reconnaissance or data extraction.
Content classification alignment: The classification level of documents embedded into a RAG pipeline should determine the security controls applied to the vector database. A vector database containing embeddings of confidential intellectual property should receive the same protection as the system storing that IP.
Regular security testing: Vector databases in production RAG pipelines should be included in penetration test scope, not excluded as βinfrastructure.β The CVE-2026-45829 disclosure demonstrates that these systems have security-relevant vulnerabilities that require the same testing as other production components.
The Inventory Problem
The most common gap identified in enterprise AI security reviews is not that organisations have assessed vector database security and found it acceptable. It is that organisations do not know which vector database instances exist in their environment.
RAG pipelines are built rapidly by development teams responding to business demand for AI-augmented products. The vector database is a dependency deployed alongside the pipeline. In organisations without centralised AI/ML infrastructure governance, multiple independent RAG deployments may exist in different business units, each with its own vector database instance, without any central security review.
ChromaDBβs exploitation risk is highest in exactly these shadow deployments β the instances deployed outside the enterprise security perimeter review process, internet-exposed via misconfigured cloud security groups, with default or no authentication, containing embeddings of sensitive internal documents.
The first step is inventory. Before assessing security controls, identify every vector database instance in the environment. A network scan for common vector database ports (8000 for ChromaDB, 8080 for Weaviate, 6333 for Qdrant) combined with cloud asset inventory review will surface most instances.
Share this article