CVE-2026-26190

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score

9.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management. This vulnerability is fixed in 2.5.27 and 2.6.10.

Vulnerability Details

Published Date

February 13, 2026

Last Modified

February 18, 2026

CWE ID

CWE-306

Source

NVD

Vendor

milvus-io

Product

milvus

External References

https://github.com/milvus-io/milvus/commit/92b74dd2e286006a83b4a5f07951027b32e718a9
https://github.com/milvus-io/milvus/releases/tag/v2.5.27
https://github.com/milvus-io/milvus/releases/tag/v2.6.10
https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6

CVE-2026-26190

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment