Security researchers are warning about a critical unpatched vulnerability in ChromaDB that could allow remote attackers to fully compromise affected servers without authentication. The flaw, tracked as CVE-2026-45829 and nicknamed “ChromaToast,” can reportedly be exploited to achieve remote code execution and gain shell access to vulnerable systems.
ChromaDB is a widely used open-source vector database platform designed for AI applications, retrieval systems, and large language model workflows. The software reportedly sees around 13 million monthly pip downloads and is used by organizations including Mintlify, Factory AI, and Weights & Biases.
According to cybersecurity firm HiddenLayer, the vulnerability stems from two separate security failures that combine into a severe exploit chain. Researchers explained that ChromaDB trusts user-supplied model identifiers before performing authentication checks, allowing attackers to force the server to download and execute malicious Hugging Face models without valid credentials.
HiddenLayer demonstrated that an attacker can exploit the flaw by sending a crafted collection creation request referencing a malicious Hugging Face model repository. Even when no authentication credentials are supplied, the server reportedly downloads and executes the malicious model before verifying whether the request is authorized.
Successful exploitation could allow attackers to access sensitive information stored on affected servers, including API keys, environment variables, mounted secrets, and files stored on disk. Researchers warned that attackers could also achieve full server takeover by spawning remote shells and executing arbitrary commands on compromised systems.
Security experts note that vulnerabilities in AI infrastructure components such as vector databases are becoming increasingly concerning because these systems often sit close to sensitive enterprise AI workflows, embeddings, retrieval pipelines, proprietary datasets, and cloud infrastructure credentials. Compromising vector databases can potentially expose large-scale AI application ecosystems.
At the time of reporting, no official patch had yet been released for the vulnerability. Researchers urged organizations using ChromaDB to immediately restrict internet exposure, isolate vulnerable deployments, monitor for suspicious outbound requests, and avoid loading untrusted external models.
The incident highlights growing security concerns around AI infrastructure software and model supply chains. As AI applications increasingly depend on external model repositories, plugins, embeddings, and open-source tooling, attackers are increasingly targeting weaknesses in AI orchestration platforms, vector databases, and model-loading pipelines.
