Impact
Milvus exposes port 9091 by default, and the /expr debug endpoint uses a weak, predictable authentication token derived from etcd.rootPath, enabling arbitrary expression evaluation. The full REST API (/api/v1/*) is registered on the metrics port without any authentication, allowing unauthenticated access to business operations, including data manipulation and credential management. The vulnerability aligns with missing login checks (CWE-306) and results in remote code execution that could lead to unauthorized data and credential manipulation.
Affected Systems
Milvus (milvus-io:milvus) versions prior to 2.5.27 and 2.6.10 are affected. Users running these releases should verify whether their deployments expose port 9091 and whether the /expr endpoint is enabled.
Risk and Exploitability
The CVSS score of 9.8 indicates critical severity, while the EPSS score of 28% indicates a moderate likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attacking requires only establishing a TCP connection to the metrics port and sending requests; no authentication is required. The simple attack path and wide exposure make this a high‑risk issue for any unauthenticated accessible Milvus service.
OpenCVE Enrichment
Github GHSA