Overview
Severity: CRITICAL | Affected: ChromaDB | Category: breach
Vector database provider ChromaDB announced a significant security incident affecting its multi-tenant cloud platform. Attackers exploited a novel vulnerability, now dubbed 'Vector Injection,' which allowed them to craft malicious queries that bypassed tenant isolation controls. By manipulating the nearest neighbor search parameters with specially formed embedding vectors, the attackers were able to trick the system into leaking data from the vector indexes of other customers. The breach resulted in the exfiltration of proprietary model embeddings and sensitive metadata from several high-profile enterprise clients. ChromaDB has since patched the vulnerability, which involved implementing stricter input sanitization and query validation at the storage layer. The incident highlights an emerging class of threats targeting the unique architecture of AI-native databases and underscores the need for new security paradigms beyond traditional data protection measures.