Cyber Resilience

CVE-2026-26190

CriticalPublic PoC

Published: 13 February 2026

Published
13 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2766 97.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26190 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Milvus Milvus. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Similarity Search; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-26190 affects Milvus, an open-source vector database designed for generative AI applications. In versions prior to 2.5.27 and 2.6.10, the software exposes TCP port 9091 by default, enabling authentication bypasses. Specifically, the /expr debug endpoint relies on a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), which allows arbitrary expression evaluation. Additionally, the full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, granting access to all business operations. The vulnerability is rated CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-306 (Missing Authentication for Critical Function).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By connecting to the exposed port 9091, they can bypass authentication on the /expr endpoint using the predictable token to execute arbitrary expressions. Access to the unauthenticated REST API enables full manipulation of vector database operations, including data read/write, deletion, and credential management, potentially leading to complete compromise of the database.

The Milvus security advisory (GHSA-7ppg-37fh-vcr6) and related GitHub releases confirm the issue is fixed in versions 2.5.27 and 2.6.10. A specific commit (92b74dd2e286006a83b4a5f07951027b32e718a9) addresses the authentication flaws by securing the debug endpoint and protecting the REST API endpoints.

Milvus's role in generative AI applications highlights its relevance to AI/ML infrastructures, where vector databases store embeddings for large language models and retrieval-augmented generation workflows. No public evidence of real-world exploitation is available as of the CVE publication on 2026-02-13.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from…

more

etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management. This vulnerability is fixed in 2.5.27 and 2.6.10.

CWE(s)

AI Security AnalysisAI

AI Category
Similarity Search
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: generative ai, milvus

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

Unauthenticated remote access to public-facing Milvus vector database via exposed port and weak API authentication (T1190) enables unauthorized data collection and manipulation from the database (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-10452Shared CWE-306
CVE-2025-8861Shared CWE-306
CVE-2026-4810Shared CWE-306
CVE-2026-32211Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306
CVE-2026-48692Shared CWE-306

Affected Assets

milvus
milvus
≤ 2.5.27 · 2.6.0 — 2.6.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly preventing unauthenticated exploitation of the /expr debug endpoint and /api/v1/* REST API.

prevent

Restricts or disables nonessential capabilities like the debug /expr endpoint and unsecured full REST API on the management port, eliminating exposure to authentication bypasses.

prevent

Requires identification, assessment, and timely remediation of flaws such as this authentication bypass, addressed by patches in Milvus 2.5.27 and 2.6.10.

References