CVE-2026-26190 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: February 13, 2026
Milvus - Authentication Bypass
Overview
Milvus < 2.5.27 and < 2.6.10 contains an authentication bypass caused by weak default token and unauthenticated REST API on TCP port 9091, letting attackers perform arbitrary expression evaluation and data manipulation, exploit requires network access to port 9091.
Severity & Score
Impact
Attackers can bypass authentication to execute arbitrary expressions and manipulate data, risking full system compromise.
Mitigation
Update to versions 2.5.27 or 2.6.10 or later.
References
Social Media Activity(2 posts)
š“ CVE-2026-26190: CRITICAL auth bypass in Milvus (<2.5.27, 2.6.0-2.6.9). REST API & /expr debug endpoint exposed via port 9091, enabling unauth access to data & creds. Patch to 2.5.27/2.6.10 ASAP! Details: https://radar.offseq.com/threat/cve-2026-26190-cwe-306-missing-authentication-for--6b5551d3 #OffSeq #infosec #AIsecurity
View original post
š“ CVE-2026-26190 - Critical (9.8) Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default au... š https://www.thehackerwire.com/vulnerability/CVE-2026-26190/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-26190
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_authentication
- Status
- unconfirmed
- EPSS
- 10.7%
- Social Posts
- 2
CWE
- CWE-306
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H