Advisories for Golang/Github.com/Milvus-Io/Milvus package

2026

Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise

Milvus exposes TCP port 9091 by default with two critical authentication bypass vulnerabilities: The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management.

Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise

Milvus exposes TCP port 9091 by default with two critical authentication bypass vulnerabilities: The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management.

2025

Milvus Proxy has a Critical Authentication Bypass Vulnerability

What kind of vulnerability is it? Who is impacted? An unauthenticated attacker can exploit this vulnerability to bypass all authentication mechanisms in the Milvus Proxy component, gaining full administrative access to the Milvus cluster. This grants the attacker the ability to read, modify, or delete data, and to perform privileged administrative operations such as database or collection management. All users running affected Milvus versions are strongly advised to upgrade immediately.