What is CVE-2026-26190?

CVE-2026-26190 is a critical-severity vulnerability in Milvus-io Milvus, classified under Missing Authentication for Critical Function. CVSS score: 9.8/10. Published 2026-02-13.

How severe is CVE-2026-26190?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Auth bypass in Milvus-io Milvus

CVE-2026-26190

Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable de…

Vulnerability class: Broken Authentication

EPSS: 0.005 (66.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Milvus-io Milvus — versions < 2.5.27, >= 2.6.0, < 2.6.10

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6 (x_refsource_CONFIRM)
https://github.com/milvus-io/milvus/commit/92b74dd2e286006a83b4a5f07951027b32e718a9 (x_refsource_MISC)
https://github.com/milvus-io/milvus/releases/tag/v2.5.27 (x_refsource_MISC)
https://github.com/milvus-io/milvus/releases/tag/v2.6.10 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-26190?: CVE-2026-26190 is a critical-severity vulnerability in Milvus-io Milvus, classified under Missing Authentication for Critical Function. CVSS score: 9.8/10. Published 2026-02-13.
How severe is CVE-2026-26190?: Critical severity. CVSS v3 base score is 9.8 out of 10.