CVE-2026-26190
Published: 13 February 2026
Summary
CVE-2026-26190 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Milvus Milvus. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Similarity Search; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-26190 affects Milvus, an open-source vector database designed for generative AI applications. In versions prior to 2.5.27 and 2.6.10, the software exposes TCP port 9091 by default, enabling authentication bypasses. Specifically, the /expr debug endpoint relies on a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), which allows arbitrary expression evaluation. Additionally, the full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, granting access to all business operations. The vulnerability is rated CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-306 (Missing Authentication for Critical Function).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By connecting to the exposed port 9091, they can bypass authentication on the /expr endpoint using the predictable token to execute arbitrary expressions. Access to the unauthenticated REST API enables full manipulation of vector database operations, including data read/write, deletion, and credential management, potentially leading to complete compromise of the database.
The Milvus security advisory (GHSA-7ppg-37fh-vcr6) and related GitHub releases confirm the issue is fixed in versions 2.5.27 and 2.6.10. A specific commit (92b74dd2e286006a83b4a5f07951027b32e718a9) addresses the authentication flaws by securing the debug endpoint and protecting the REST API endpoints.
Milvus's role in generative AI applications highlights its relevance to AI/ML infrastructures, where vector databases store embeddings for large language models and retrieval-augmented generation workflows. No public evidence of real-world exploitation is available as of the CVE publication on 2026-02-13.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5932
Vulnerability details
Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from…
more
etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management. This vulnerability is fixed in 2.5.27 and 2.6.10.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Similarity Search
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: generative ai, milvus
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote access to public-facing Milvus vector database via exposed port and weak API authentication (T1190) enables unauthorized data collection and manipulation from the database (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly preventing unauthenticated exploitation of the /expr debug endpoint and /api/v1/* REST API.
Restricts or disables nonessential capabilities like the debug /expr endpoint and unsecured full REST API on the management port, eliminating exposure to authentication bypasses.
Requires identification, assessment, and timely remediation of flaws such as this authentication bypass, addressed by patches in Milvus 2.5.27 and 2.6.10.