Milvus is a popular open-source vector database designed to support generative AI workloads by efficiently managing high-dimensional vector data. CVE-2026-26190 identifies a critical authentication bypass vulnerability affecting Milvus versions prior to 2.5.27 and between 2.6.0 and 2.6.10. The vulnerability arises because Milvus exposes TCP port 9091 by default, which hosts a metrics and management interface that lacks proper authentication controls. Specifically, the /expr debug endpoint uses a weak and predictable default authentication token derived from the etcd.rootPath configuration (defaulting to 'by-dev'), enabling attackers to perform arbitrary expression evaluation remotely. Moreover, the entire REST API under /api/v1/* is registered on this port without any authentication, granting unauthenticated attackers full access to critical business functions such as data manipulation, credential management, and other administrative operations. This lack of authentication on critical functions is classified under CWE-306 (Missing Authentication for Critical Function). The vulnerability allows remote, unauthenticated attackers to fully compromise the confidentiality, integrity, and availability of Milvus databases by executing arbitrary commands, modifying or deleting data, and potentially escalating privileges. The issue was addressed and fixed in Milvus versions 2.5.27 and 2.6.10 by enforcing proper authentication mechanisms on the management and metrics ports. The CVSS v3.1 base score of 9.8 reflects the high impact and ease of exploitation, as no authentication or user interaction is required and the attack surface is exposed over the network.

The impact of CVE-2026-26190 is severe for organizations deploying affected versions of Milvus. Attackers can remotely bypass authentication and gain full control over the vector database, leading to complete compromise of stored data, including sensitive AI model vectors and metadata. This can result in data theft, unauthorized data manipulation, deletion, or insertion of malicious data, undermining the integrity of AI applications relying on Milvus. Credential management access allows attackers to create or modify user credentials, potentially enabling persistent access and lateral movement within an organization’s infrastructure. The availability of the database can also be disrupted by malicious commands or resource exhaustion attacks. Given Milvus’s role in AI and data-driven applications, such compromises can degrade AI model performance, cause operational downtime, and damage organizational reputation. The vulnerability’s network-exposed nature and lack of authentication requirements make exploitation straightforward, increasing the risk of widespread attacks if unpatched instances are accessible from untrusted networks.

Organizations should immediately upgrade all Milvus deployments to versions 2.5.27 or 2.6.10 or later, where this vulnerability is patched. Until upgrades can be applied, administrators should restrict access to TCP port 9091 using network-level controls such as firewalls or VPNs to limit exposure to trusted internal networks only. Disable or restrict the /expr debug endpoint and the management REST API if possible. Implement strong authentication and authorization mechanisms on all management interfaces. Regularly audit Milvus configurations to ensure no default or weak tokens are in use. Monitor network traffic and logs for unusual access patterns targeting port 9091 or the /api/v1/* endpoints. Employ intrusion detection systems to detect exploitation attempts. Finally, maintain an up-to-date inventory of Milvus instances and ensure timely application of security patches in the future.