CVE-2026-26190: Milvus RCE — Critical — Patch Now

Overview

A critical security vulnerability has been identified in the Milvus vector database, a core component for many generative AI and similarity search applications. This flaw allows attackers to bypass all authentication controls, potentially leading to a complete compromise of the database and its data.

Vulnerability Description

In simple terms, Milvus was shipped with several major security oversights in its default configuration. First, a TCP port used for internal management was unnecessarily exposed. On this port, two critical issues existed:

1. A debugging feature was protected by a weak, predictable password that could be easily guessed.
2. More severely, the entire operational API-the interface used to insert, query, and manage data-was made available on this port with no authentication whatsoever.

This combination means an attacker who can reach this port can run commands and access data as if they were a fully privileged administrator, without needing a username or password.

Potential Impact

The impact of this vulnerability is severe (CRITICAL, CVSS: 9.8). An unauthenticated remote attacker could:

• Steal, modify, or delete all vector data and metadata stored in the database.
• Compromise AI applications that rely on this data, leading to data leakage, corrupted outputs, or complete service failure.
• Access and manipulate system credentials and configurations, enabling a persistent foothold within the environment.
• Execute arbitrary code on the server via the vulnerable debug endpoint.

Any Milvus instance exposed to a network (including internal networks) is at significant risk.

Remediation and Mitigation

Immediate Action Required:

1. Upgrade Immediately: This is the primary fix. Update your Milvus installation to version 2.5.27 or 2.6.10 or later. These versions contain the necessary patches.
2. Restrict Network Access: As a critical interim measure until patching, use firewall rules (e.g., AWS Security Groups, Azure NSGs, iptables) to block all external access to TCP port 9091 on your Milvus nodes. Ensure this port is only accessible from strictly necessary, trusted management hosts.

Verification and Best Practices:

• After upgrading, verify that the /api/v1/ endpoints and the /expr debug endpoint are no longer accessible without valid authentication.
• Review your deployment architecture. Milvus management and metrics ports should never be exposed to the public internet. Adhere to the principle of least-privilege network access.
• Regularly subscribe to security announcements for the open-source components in your AI/ML stack.

Note: Simply changing the default etcd.rootPath does not fully mitigate this vulnerability, as the core issue was the complete lack of authentication on the main API. Patching is the only complete solution.