CVE-2026-26190

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-26190

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26190.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-26190

Aliases

Published

2026-02-13T18:44:33.465Z

Modified

2026-02-20T02:45:45.751541Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Milvus Allows Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise

Details

Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management. This vulnerability is fixed in 2.5.27 and 2.6.10.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26190.json",
    "cwe_ids": [
        "CWE-306"
    ]
}

References

Affected packages

Git / github.com/milvus-io/milvus

Affected ranges

Type

GIT

Repo

https://github.com/milvus-io/milvus

Events

Introduced

Fixed

bf8da831eec2029877f92e69167217e19f82dffe

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.5.27"
        }
    ]
}

Type

GIT

Repo

https://github.com/milvus-io/milvus

Events

Introduced

4def0255a928287f982f1d6b8c53ed32127bb84d

Fixed

731588614bf3926ce9b73ae3970a68f65c5f25cc

Database specific

{
    "versions": [
        {
            "introduced": "2.6.0"
        },
        {
            "fixed": "2.6.10"
        }
    ]
}

Affected versions

client/v2.*

client/v2.5.0

client/v2.5.1

client/v2.5.2

client/v2.5.3

client/v2.5.4

client/v2.5.5

client/v2.5.6

client/v2.6.0

client/v2.6.1

client/v2.6.2

pkg/v0.*

pkg/v0.0.1

pkg/v2.*

pkg/v2.5.10

pkg/v2.5.11

pkg/v2.5.12

pkg/v2.5.13

pkg/v2.5.14

pkg/v2.5.15

pkg/v2.5.16

pkg/v2.5.17

pkg/v2.5.18

pkg/v2.5.19

pkg/v2.5.20

pkg/v2.5.21

pkg/v2.5.22

pkg/v2.5.23

pkg/v2.5.24

pkg/v2.5.25

pkg/v2.5.26

pkg/v2.5.4

pkg/v2.5.5

pkg/v2.5.6

pkg/v2.5.7

pkg/v2.5.8

pkg/v2.5.9

pkg/v2.6.0

pkg/v2.6.1

pkg/v2.6.2

pkg/v2.6.3

pkg/v2.6.4

pkg/v2.6.6

pkg/v2.6.7

pkg/v2.6.8

pkg/v2.6.9

v0.*

v0.10.0

v0.10.1

v0.10.2

v0.5.2

v0.5.3

v0.6.0

v0.7.0

v0.9.0

v2.*

v2.0.0

v2.0.0-pre-ga

v2.0.0-rc1

v2.0.0-rc2

v2.0.0-rc4

v2.0.0-rc5

v2.0.0-rc6

v2.0.0-rc7

v2.0.1

v2.2-testing-20240702

v2.3.0

v2.3.0-beta

v2.4.2

v2.5.0

v2.5.1

v2.5.10

v2.5.11

v2.5.12

v2.5.13

v2.5.14

v2.5.15

v2.5.16

v2.5.17

v2.5.18

v2.5.19

v2.5.2

v2.5.20

v2.5.21

v2.5.22

v2.5.23

v2.5.24

v2.5.25

v2.5.26

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v2.5.8

v2.5.9

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.6.4

v2.6.6

v2.6.7

v2.6.8

v2.6.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26190.json"