CVE-2026-26190

Name of the Vulnerable Software and Affected Versions Milvus versions prior to 2.5.27 Milvus versions prior to 2.6.10

Description Milvus, an open-source vector database for generative AI applications, is affected by an issue that allows authentication bypasses. The software exposes TCP port 9091 by default, and the /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics/management port without authentication, allowing unauthenticated access to all business operations, including data manipulation and credential management.

Recommendations Milvus versions prior to 2.5.27 should be upgraded to version 2.5.27 or later. Milvus versions prior to 2.6.10 should be upgraded to version 2.6.10 or later.