CVE-2026-10814 - Vulnerability Details

- milvus-io milvus Grantee ID Hash kv_catalog.go weak hash

Description

A vulnerability has been found in milvus-io milvus up to 2.6.13. This vulnerability affects unknown code of the file internal/metastore/kv/rootcoord/kv_catalog.go of the component Grantee ID Hash Handler. The manipulation leads to use of weak hash. The attack needs to be performed locally. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 3d932f1c3e065351c4440c27abe1e6479752544d. Applying a patch is the recommended action to fix this issue.

Published: 2026-06-04

Score: 2 Low

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A weakness in the Grantee ID Hash Handler in Milvus up to version 2.6.13 allows the use of a weak hash algorithm. This can enable a local attacker to create hash collisions that may compromise the uniqueness of grant identifiers, potentially allowing unauthorized operations or data manipulation. The vulnerability is infrequently exploitable, requiring high complexity efforts and local execution.

Affected Systems

Milvus 2.6.13 and earlier versions of the Milvus open‑source vector database are affected. The flaw resides in the internal/metastore/kv/rootcoord/kv_catalog.go component of the Milvus product released by Milvus‑IO.

Risk and Exploitability

The CVSS score of 2 indicates a low impact; the EPSS score is not reported and the vulnerability is not listed in the CISA KEV catalog. The attack requires local system access, high complexity, and is considered difficult to exploit. Consequently, the risk is limited to environments where local privileges can be obtained, and the likely attack vector is an insider or compromised host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

milvus-io

milvus

affected

Version	Status	Constraints
`2.6.0`	affected	—
`2.6.1`	affected	—
`2.6.2`	affected	—
`2.6.3`	affected	—
`2.6.4`	affected	—
`2.6.5`	affected	—
`2.6.6`	affected	—
`2.6.7`	affected	—
`2.6.8`	affected	—
`2.6.9`	affected	—
`2.6.10`	affected	—
`2.6.11`	affected	—
`2.6.12`	affected	—
`2.6.13`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Milvus to the patch identified by commit 3d932f1c3e065351c4440c27abe1e6479752544d
Restrict local access to the Milvus nodes to trusted administrators only
Monitor system logs for repeated or anomalous grant ID collisions or unauthorized access attempts

Generated by OpenCVE AI on June 4, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity High

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/milvus-io/milvus/
https://github.com/milvus-io/milvus/commit/3d932f1c3e065351c4440c27abe1e6479752544d
https://github.com/milvus-io/milvus/issues/49857
https://github.com/milvus-io/milvus/pull/50060
https://vuldb.com/cve/CVE-2026-10814
https://vuldb.com/submit/831645
https://vuldb.com/vuln/368262
https://vuldb.com/vuln/368262/cti

History

Thu, 04 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 04 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in milvus-io milvus up to 2.6.13. This vulnerability affects unknown code of the file internal/metastore/kv/rootcoord/kv_catalog.go of the component Grantee ID Hash Handler. The manipulation leads to use of weak hash. The attack needs to be performed locally. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 3d932f1c3e065351c4440c27abe1e6479752544d. Applying a patch is the recommended action to fix this issue.
Title		milvus-io milvus Grantee ID Hash kv_catalog.go weak hash
First Time appeared		Milvus-io Milvus-io milvus
Weaknesses		CWE-327 CWE-328
CPEs		cpe:2.3:a:milvus-io:milvus::::::::
Vendors & Products		Milvus-io Milvus-io milvus
References		https://github.com/milvus-io/milvus/ https://github.com/milvus-io/milvus/commit/3d932f1c3e065351c4440c27abe1e6479752544d https://github.com/milvus-io/milvus/issues/49857 https://github.com/milvus-io/milvus/pull/50060 https://vuldb.com/cve/CVE-2026-10814 https://vuldb.com/submit/831645 https://vuldb.com/vuln/368262 https://vuldb.com/vuln/368262/cti
Metrics		cvssV2_0 `{'score': 3.5, 'vector': 'AV:L/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 4.5, 'vector': 'CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 4.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Milvus-io Milvus

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-04T15:00:19.440Z

Updated: 2026-06-04T15:46:55.116Z

Reserved: 2026-06-04T05:41:43.203Z

Link: CVE-2026-10814

Vulnrichment

Updated: 2026-06-04T15:46:51.639Z

NVD

Status : Awaiting Analysis

Published: 2026-06-04T16:16:33.117

Modified: 2026-06-04T16:32:54.380

Link: CVE-2026-10814

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-04T17:00:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity High

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object