CVE-2026-26190 – This critical vulnerability in Milvus vector da... (How to Fix)

Q: What is the severity of CVE-2026-26190?

CVE-2026-26190 has a CVSS score of 9.8 (CRITICAL). This critical vulnerability in Milvus vector database allows unauthenticated attackers to bypass authentication and execute arbitrary operations. Attackers can manipulate data, access credentials, and evaluate expressions via exposed endpoints. All Milvus deployments prior to versions 2.5.27 and 2.6.10 with default configurations are affected.

📋 TL;DR

This critical vulnerability in Milvus vector database allows unauthenticated attackers to bypass authentication and execute arbitrary operations. Attackers can manipulate data, access credentials, and evaluate expressions via exposed endpoints. All Milvus deployments prior to versions 2.5.27 and 2.6.10 with default configurations are affected.

💻 Affected Systems

Products:

Milvus

Versions: All versions prior to 2.5.27 and 2.6.10

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Default configuration exposes port 9091 with weak authentication on debug endpoints and no authentication on REST API endpoints.

📦 What is this software?

Milvus by Milvus

View all CVEs affecting Milvus →

Milvus by Milvus

View all CVEs affecting Milvus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Milvus database including data theft, data destruction, credential exfiltration, and potential lateral movement to connected systems.

🟠

Likely Case

Unauthenticated attackers accessing sensitive data, manipulating vector embeddings, and potentially disrupting AI/ML applications relying on Milvus.

🟢

If Mitigated

Limited impact with proper network segmentation and authentication controls, though the vulnerability still exists in the software.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only network access to port 9091 and knowledge of default authentication token derivation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.27 or 2.6.10

Vendor Advisory: https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6

Restart Required: Yes

Instructions:

1. Backup your Milvus data and configuration. 2. Stop all Milvus services. 3. Upgrade to Milvus 2.5.27 or 2.6.10 using your package manager or from GitHub releases. 4. Restart Milvus services. 5. Verify the upgrade was successful.

🔧 Temporary Workarounds

Block port 9091 at firewall

linux

Prevent external access to the vulnerable port

iptables -A INPUT -p tcp --dport 9091 -j DROP
ufw deny 9091

Change etcd.rootPath configuration

all

Modify the default etcd.rootPath to break predictable token generation

Edit milvus.yaml: etcd.rootPath: "custom-unique-path"

🧯 If You Can't Patch

Implement strict network access controls to limit access to port 9091 to trusted IPs only
Deploy Milvus behind a reverse proxy with authentication and disable direct access to port 9091

🔍 How to Verify

Check if Vulnerable:

Check if port 9091 is open and accessible, and test if unauthenticated requests to /api/v1/ or /expr endpoints succeed

Check Version:

milvus version

Verify Fix Applied:

After upgrade, verify port 9091 requires authentication and test that unauthenticated API access is blocked

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access attempts to /api/v1/* endpoints
Failed authentication on port 9091
Unexpected expression evaluation requests

Network Indicators:

Unusual traffic to TCP port 9091 from unauthorized sources
API calls to Milvus without authentication headers

SIEM Query:

source_port:9091 AND (uri_path:"/api/v1/*" OR uri_path:"/expr") AND NOT auth_token:*

📊 Metadata

CVE ID: CVE-2026-26190

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

EPSS Score: 0.11% exploit probability (29th percentile)

Published: February 13, 2026

Last Updated: February 18, 2026

🔗 References

https://github.com/milvus-io/milvus/commit/92b74dd2e286006a83b4a5f07951027b32e718a9 Patch
https://github.com/milvus-io/milvus/releases/tag/v2.5.27 Product,Release Notes
https://github.com/milvus-io/milvus/releases/tag/v2.6.10 Product,Release Notes
https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6 Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26190, you might also want to check these: