CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-7ppg-37fh-vcr6: Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise

criticalCVSS 9.8CVE-2026-26190
Summary Milvus exposes TCP port 9091 by default with two critical authentication bypass vulnerabilities: 1. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. 2. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management. Details Vulnerability 1: Weak Default Authentication on /expr Endpoint The /expr endpoint on port 9091 accepts an auth parameter that defaults to the etcd.rootPath value (by-dev). This value is well-known and predictable. An attacker who can reach port 9091 can evaluate arbitrary internal Go expressions, leading to: - Information/Credential Disclosure: Reading internal configuration values (MinIO secrets, etcd credentials) and user credential hashes via param.MinioCfg.SecretAccessKey.GetValue(), rootcoord.meta.GetCredential(ctx, 'root'), etc. - Denial of Service: Invoking proxy.Stop() to shut down the proxy service. - Arbitrary File Write (potential RCE): Manipulating access log configuration parameters to write arbitrary content to arbitrary file paths on the server filesystem. Vulnerability 2: Unauthenticated REST API on Metrics Port Business-logic HTTP handlers (collection management, data insertion, credential management) are registered on the metrics/management HTTP server at port 9091 via registerHTTPServer() in internal/distributed/proxy/service.go (line 170). These endpoints do not enforce any authentication, even when Milvus authentication is enabled on the primary gRPC/HTTP ports. An attacker can perform any business operation without credentials, including: - Creating, listing, and

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
critical — CVSS 9.8
Published
2026-02-11
Last updated
2026-07-06
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-7ppg-37fh-vcr6

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-26190coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories