The unpatched ChromaDB vulnerability (CVE-2026-45829) represents more than an isolated pre-auth RCE in an open-source vector database; it exposes a structural weakness in how modern AI pipelines handle untrusted model artifacts from repositories like Hugging Face. By executing client-supplied model identifiers prior to any authentication check, the flaw allows remote shell access that can exfiltrate API keys, environment variables, and disk contents across the estimated 73 percent of internet-facing deployments running versions since 1.0.0. This compounds earlier patterns seen in supply-chain attacks against AI tooling, including the 2024 LangChain prompt-injection vectors and the 2025 TorchServe deserialization issues, where execution of external models bypassed sandboxing. HiddenLayer's analysis correctly identifies the root cause in trust-before-auth logic, yet understates the downstream consequence for retrieval-augmented generation systems now embedded in defense analytics and critical-infrastructure monitoring. Independent researcher reports dating to November 2025 further indicate sustained vendor silence, mirroring delays observed in other high-download open-source AI components. Network isolation remains the sole immediate control, but this leaves air-gapped or enterprise-internal clusters exposed once initial foothold is gained through poisoned collections. The episode underscores an emerging class of infrastructure risk where vector databases act as high-value data lakes for sensitive embeddings, turning a single unauthenticated request into potential intelligence collection or sabotage vector.