GHSA-7ppg-37fh-vcr6: Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise

February 11, 2026

Milvus exposes TCP port 9091 by default with two critical authentication bypass vulnerabilities:

The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation.
The full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management.

References

github.com/advisories/GHSA-7ppg-37fh-vcr6
github.com/milvus-io/milvus
github.com/milvus-io/milvus/releases/tag/v2.5.27
github.com/milvus-io/milvus/releases/tag/v2.6.10
github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6

Code Behaviors & Features

Detect and mitigate GHSA-7ppg-37fh-vcr6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →