Vulnerability Management Max-severity vulnerability in ChromaDB allows unauthenticated remote code execution May 20, 2026 Share By SC Staff A critical vulnerability in the Python FastAPI version of the ChromaDB project, tracked as CVE-2026-45829, allows unauthenticated attackers to execute arbitrary code on exposed servers. This flaw, discovered by HiddenLayer, has been assigned the maximum CVSS score of 10. ChromaDB is an open-source vector database and AI retrieval backend widely used in agentic AI applications, as reported by Bleeping Computer. The vulnerability affects the Python API server logic within the PyPI package, which sees nearly 14 million monthly downloads. Attackers can exploit this by sending a crafted request to an authenticated API endpoint. This request embeds model settings before the authentication check is performed, allowing the attacker to force ChromaDB to load and execute a malicious model from platforms like Hugging Face. The authentication check occurs too late, after the malicious code has already run. The flaw was introduced in ChromaDB version 1.0.0 and was present in version 1.5.8. While version 1.5.9 was released, it remains unclear if the vulnerability is patched. Approximately 73% of internet-exposed ChromaDB instances are believed to be running a vulnerable version. Mitigation strategies include using the Rust frontend, avoiding public exposure of the Python server, restricting network access to the API port, and scanning ML model artifacts before runtime. Source: Bleeping Computer SC Staff Related Vulnerability Management Drupal releases emergency security update amid exploit concerns SC Staff May 20, 2026 While the specific type of vulnerability has not been disclosed, the urgency of the advisory suggests a serious flaw with a potentially short window between patch release and active exploitation. Patch/Configuration Management Microsoft addresses Windows Update failures in restricted environments SC Staff May 20, 2026 The failures occur in environments with strict network limitations, including air-gapped systems and heavily firewalled networks. Vulnerability Management Universal Robots patches critical 9.8 flaw in ‘cobots’ OS Steve Zurier May 19, 2026 Critical flaw in Universal Robots cobots could let attackers hijack production systems remotely. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds