Sign in Subscribe
Self-Hosting

Self-Hosted Weekly: Week 23, 2026. Supabase Hits $10.5B, Euro-Office Ships, ChromaDB CVSS 10

Michael Soto

4 min read
Share
Self-Hosted Weekly: Week 23, 2026. Supabase Hits $10.5B, Euro-Office Ships, ChromaDB CVSS 10

Welcome back to Self-Hosted Weekly. This week had a bit of everything: a database company hitting a $10.5 billion valuation, Europe shipping its sovereign office suite (with a licensing fight attached), and three CVEs that should jump to the top of your patch queue, including a perfect 10 on a vector database half the AI world runs. Let's get into it.

1. Supabase raises $500M at a $10.5B valuation, ships Multigres preview

On June 4, Supabase announced a $500 million Series F led by GIC at a $10.5 billion post-money valuation, with Stripe and Salesforce Ventures joining in. The company says databases on the platform grew 600% year over year, largely riding the vibe-coding wave where every AI-built app needs a Postgres backend. Alongside the round, Supabase released a preview of Multigres, an Apache 2.0 licensed horizontal scaling layer that brings sharding, zero-downtime migrations, and high availability to Postgres.

Hot take: The funding headline is fun, but Multigres is the real story for self-hosters. A Vitess-style scaling layer for Postgres under a genuinely open license benefits everyone running Postgres, whether they touch Supabase or not. And if you want Supabase on your own infrastructure, that's been possible all along.

2. Euro-Office starts shipping, and OnlyOffice cries foul

Euro-Office, the EU-backed web office suite announced in March, began shipping in early June. Behind it is a coalition including IONOS, Nextcloud, XWiki, OpenProject, and OpenXchange. It handles DOCX, XLSX, PPTX, ODF formats and PDF with real-time collaboration, and Nextcloud Hub 26 integrated it immediately. The wrinkle: OnlyOffice, whose AGPL code forms Euro-Office's foundation, publicly alleged the project violates its licensing terms.

Hot take: A sovereign European office stack shipping inside Nextcloud is a big deal for the self-hosted world. But the OnlyOffice dispute deserves attention, because AGPL compliance is the foundation this whole movement stands on. If the fork is clean, publish the receipts. If it isn't, fix it fast.

3. Exim RCE, CVSS 9.8: patch your mail server today

CVE-2026-45185 is a remote code execution flaw in Exim, the MTA that quietly powers a massive share of the world's mail servers. It scores 9.8, and the fix is in version 4.99.3.

Hot take: Exim flaws never stay theoretical for long; attackers have mass-scanned for them within days every single time. If you self-host email, this is your weekend plan. If your distro bundles Exim and you forgot it exists, that's worse, go check.

4. ChromaDB hits a perfect CVSS 10.0

CVE-2026-45829 is a critical API vulnerability in ChromaDB rated 10.0. The interim guidance is blunt: do not expose the API server to the internet, and check the project's security advisory for the patched release that matches your version line.

Hot take: Vector databases became production infrastructure faster than their security posture matured. Most ChromaDB deployments started life as a notebook experiment and ended up holding real data. If yours is reachable from the public internet, fix that today, firewall first, then patch. A managed ChromaDB sits behind a proper reverse proxy by default, which is exactly the posture this CVE demands.

5. Langflow exploit goes APT: MuddyWater joins the party

CVE-2025-34291, a CORS token theft flaw in Langflow, is being actively exploited by the MuddyWater APT group. CISA's KEV remediation deadline was June 4, and the fix is upgrading to version 1.7.0 or later.

Hot take: When a nation-state group starts targeting your low-code AI builder, the "it's just an internal tool" excuse is officially dead. AI workflow tools hold API keys to everything you've connected them to. Treat them like the credential vaults they accidentally became.

6. Microsoft ships Rust Coreutils for Windows

Microsoft released Coreutils for Windows, a cross-platform, Rust-based reimplementation of GNU Coreutils derived from the uutils open-source project. The same uutils that Ubuntu adopted as its default coreutils last year is now an official Microsoft offering.

Hot take: Whatever your feelings about Microsoft, ls and grep working natively and identically across Windows and Linux makes every cross-platform script and CI pipeline a little less painful. The uutils maintainers going from hobby rewrite to powering two of the biggest OS vendors is one of the great open-source arcs of the decade.

7. Penpot lays out its June roadmap: enterprise self-hosting gets serious

Fresh off the 2.16 release (design tokens in the sidebar, WebGL renderer in beta, roughly 110 fixes and enhancements), the Penpot team published a transparent "not a roadmap" post covering five tracks of active work. Notable for self-hosters: an expanding admin console with organizations, advanced permissions, and SSO configuration, plus an MCP server for agentic design workflows.

Hot take: Penpot keeps doing the unglamorous work that makes self-hosted tools viable in real companies: admin consoles, SSO, governance. Figma sells convenience; Penpot is methodically removing every reason a team would need it.

8. Docker Desktop's June update: Model Runner CVE fixed, Qwen3.5 support

Docker's June updates fixed CVE-2026-33990 in Docker Model Runner, added support for running Qwen3.5 locally, introduced MCP profile template cards, and improved Compose stack log filtering, plus the usual pile of reliability fixes.

Hot take: Docker is quietly becoming the default local AI runtime for developers who don't want to think about Python environments. A CVE in Model Runner this early is no scandal, but it's a reminder that "run an LLM with one click" tooling expands your attack surface like any other service.

What We're Watching Next Week

  • Kubernetes v1.37 crunch time: Production Readiness freeze lands June 10 and the enhancements freeze follows on June 17. We'll know within two weeks what actually makes the release.
  • KubeCon India, June 18-19: expect a wave of cloud-native announcements timed to the keynotes.
  • The Euro-Office licensing dispute: OnlyOffice's AGPL allegations will either get a public resolution or escalate. Either way, it sets a precedent for EU-funded forks.
  • UN Open Source Week, June 22-26: digital sovereignty will dominate the agenda, and the Euro-Office story just handed everyone a live case study.

The Bottom Line

The money is loud this week (a $10.5B Postgres company!), but the quiet pattern matters more: outside the Exim flaw, this week's most urgent CVEs all hit tools from the AI stack. Vector databases, workflow builders, and local model runners are production infrastructure now, and attackers noticed before most ops teams did. Patch Exim, firewall ChromaDB, upgrade Langflow, and if you'd rather have someone else carry the patching pager, Elestio keeps 400+ open-source services updated for you.

Thanks for reading ❤️ See you next Friday 👋

Sign up for more like this.

Enter your email
Subscribe