CVE-2026-26190: Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise

(updated )

Milvus exposes TCP port 9091 by default with two critical authentication bypass vulnerabilities:

  1. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation.
  2. The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-26190 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →