1 article
HiddenLayer and the Cloud Security Alliance published disclosures of CVE-2026-45829, a CVSS 10.0 unauthenticated remote code execution vulnerability in ChromaDB's Python FastAPI server, on 18–20 May 2026. Attackers can inject malicious code via a crafted HuggingFace-hosted model before the authentication gate fires. Approximately 73% of ChromaDB deployments are internet-exposed. No patch exists for affected versions.