The security issue tracked as CVE-2026-45829, often referred to in analysis as ChromaToast Served Pre-Auth, affects the open-source vector database ChromaDB. ChromaDB is widely used for semantic search and AI-driven retrieval workflows, where embedding models transform text into numerical vectors for similarity matching. 

The vulnerability exists in the ChromaDB FastAPI server, where user-controlled embedding function configuration can be processed before authentication checks occur. This design flaw allows unauthenticated HTTP requests to trigger remote code execution (RCE) under specific conditions involving HuggingFace model loading behavior. 

ChromaDB has seen significant adoption,...