Milvus Allows Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise
wordt vertaald…Platform
other
Component
milvus
Opgelost in
2.5.28
2.6.1
CVE-2026-26190 is a critical vulnerability affecting Milvus, an open-source vector database. This flaw allows for authentication bypasses and unauthenticated access to the full REST API, enabling data manipulation and credential management. The vulnerability impacts versions less than or equal to 2.6.0 and versions prior to 2.6.10. A fix is available in version 2.5.27.
Impact en Aanvalsscenarioswordt vertaald…
The impact of CVE-2026-26190 is substantial. Attackers can exploit this vulnerability to gain complete control over a Milvus instance without authentication. This includes reading, modifying, and deleting data stored within the vector database, as well as potentially accessing and compromising credentials. Given Milvus's use in generative AI applications, this could lead to data breaches, model poisoning, and disruption of AI-powered services. The exposed /expr debug endpoint, with its predictable default authentication token, provides a particularly easy entry point for exploitation. The lack of authentication on the full REST API significantly expands the attack surface.
Uitbuitingscontextwordt vertaald…
This vulnerability has been publicly disclosed and assigned a CRITICAL CVSS score. While no active exploitation campaigns have been publicly confirmed as of the publication date, the ease of exploitation and the potential impact make it a high-priority concern. The predictable default authentication token significantly lowers the barrier to entry for attackers. It is listed on CISA KEV, indicating a high probability of exploitation.
Wie Loopt Risicowordt vertaald…
Organizations deploying Milvus for generative AI applications, particularly those using default configurations or legacy versions, are at significant risk. Shared hosting environments where multiple users share a Milvus instance are also vulnerable, as an attacker compromising one user's account could potentially gain access to the entire database. Any deployment relying on the default authentication token is immediately exposed.
Detectiestappenwordt vertaald…
• linux / server:
journalctl -u milvus -g 'authentication bypass'• generic web:
curl -I http://<milvus_ip>:9091/api/v1/ | grep -i 'authentication'Aanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.35% (57% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2026-26190 is to upgrade Milvus to version 2.5.27 or later. If an immediate upgrade is not feasible, consider temporarily disabling the /expr debug endpoint. Restrict network access to port 9091, limiting access to only trusted clients. Implement robust authentication mechanisms for the REST API, moving away from the default, predictable token. Review and harden etcd root paths to prevent predictable token generation. After upgrading, verify the fix by attempting to access the REST API without authentication and confirming access is denied.
Hoe te verhelpenwordt vertaald…
Actualice Milvus a la versión 2.5.27 o superior, o a la versión 2.6.10 o superior, según corresponda. Esto corrige la vulnerabilidad de acceso no autenticado a la API RESTful en el puerto de métricas (9091).
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2026-26190 — Authentication Bypass in Milvus Vector Database?
CVE-2026-26190 is a critical vulnerability in Milvus versions ≤ 2.6.0 and < 2.6.10 that allows unauthenticated access to the API and data manipulation due to weak default authentication and exposed ports, earning a CVSS score of 9.8.
Am I affected by CVE-2026-26190 in Milvus Vector Database?
You are affected if you are running Milvus versions less than or equal to 2.6.0 or versions prior to 2.6.10. Check your current version and upgrade immediately if vulnerable.
How do I fix CVE-2026-26190 in Milvus Vector Database?
Upgrade Milvus to version 2.5.27 or later. As a temporary workaround, disable the /expr debug endpoint and restrict network access to port 9091.
Is CVE-2026-26190 being actively exploited?
While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and high impact make it a high-priority concern and a likely target.
Where can I find the official Milvus advisory for CVE-2026-26190?
Refer to the official Milvus security advisory, which can be found on the Milvus GitHub repository or their official website (check for updates).
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.