AI Data at Risk: Critical Milvus Flaw (CVSS 9.8) Exposes Database via Port 9091

A critical vulnerability has been discovered in Milvus, the high-performance vector database that powers many of the world’s modern AI and machine learning applications. The flaw, which carries a near-maximum CVSS score of 9.8, exposes the database’s management interface to the public internet, potentially allowing unauthenticated attackers to steal credentials, delete data, or even execute arbitrary code.

The vulnerability centers on a dangerous misconfiguration in how Milvus handles its metrics and debugging port, effectively turning a monitoring tool into a master key for the entire system.

Milvus is designed to manage vast amounts of unstructured data for AI, but for versions prior to 2.5.27 and 2.6.10, it also exposed TCP port 9091 by default without proper safeguards.

This port, intended for metrics and health checks, was found to be hosting two critical security gaps:

• The /expr Endpoint: A debug endpoint that allows the evaluation of Go expressions. Crucially, it uses a weak, predictable default authentication token—”by-dev”—derived from the etcd.rootPath.
• The Full REST API: Even more alarmingly, the entire business API (/api/v1/*) is accessible on this port without any authentication.

The impact of this exposure is catastrophic for affected deployments. An attacker who can connect to port 9091 doesn’t just get to see metrics; they effectively become the system administrator.

According to the advisory, exploitation allows an attacker to:

• Steal Secrets: Read internal configuration values, including MinIO secret keys and etcd credentials, or dump user credential hashes.
• Destroy Data: Drop entire databases, remove collections, or corrupt metadata, leading to a complete Denial of Service.
• Hijack Accounts: Create new administrative users or reset existing passwords to lock out legitimate owners.
• Write Arbitrary Files: Potentially achieve Remote Code Execution (RCE) by manipulating access log configurations to write malicious files to the filesystem.

The maintainers have released patches to close this hole.

• Affected: Versions < 2.5.27 and >= 2.6.0, < 2.6.10 are vulnerable.
• Patched Versions: Users should upgrade to Milvus 2.5.27 or 2.6.10 immediately.

If an immediate upgrade isn’t possible, administrators are urged to block external access to port 9091 using firewalls or network policies to prevent unauthorized connections from reaching the vulnerable interface.

Related Posts:

• Critical Authentication Bypass Vulnerability Found in Milvus Proxy (CVE-2025-64513, CVSS 9.3)
• Developers Beware: Supply Chain Attacks Target Visual Studio Code Extensions