Exposed ChromaDB servers hit by high-severity RCE via post-load authentication bypass
A max-severity vulnerability in ChromaDB’s Python FastAPI server (CVE-2026-45829) lets unauthenticated attackers load a malicious model and run code before authentication, enabling remote code execution on exposed servers. The flaw affects the PyPI package (nearly 14 million monthly downloads); mitigations include using the Rust frontend or restricting network access, and validating models before runtime. Patch status is unclear after version 1.5.9, and Shodan shows about 73% of internet-exposed instances are still vulnerable.