ChromaDB, a popular open-source vector database used for AI applications with around 13 million monthly downloads, has an unpatched vulnerability that could allow attackers to completely take over servers without authentication. The flaw, tracked as CVE-2026-45829 and nicknamed ChromaToast, lets attackers exploit the system by supplying a malicious model through HuggingFace that executes before the server performs its authentication checks, giving hackers full control and access to sensitive data including API keys and files. Security researchers say they've been trying to alert Chroma about this critical vulnerability since November 2025 with no response, and roughly 73 percent of internet-accessible ChromaDB deployments running version 1.0.0 or later remain vulnerable.