Milvus vector database is subject to a critical authentication bypass that allows unauthenticated attackers to perform arbitrary business operations, including data manipulation and credential theft.

This critical flaw stems from the default exposure of TCP port 9091 and an unauthenticated REST API. Unauthenticated attackers can exploit a predictable debug token or access the management port to evaluate arbitrary expressions and perform unauthorized data operations.

A successful exploit grants an attacker full control over the vector database, which is often the backbone of generative AI applications. This can result in the total loss of data integrity, unauthorized access to sensitive proprietary information, and the potential compromise of downstream AI services. The CVSS score of 9.8 reflects the catastrophic impact on confidentiality, integrity, and availability.

Immediate Action: Administrators must immediately upgrade Milvus deployments to version 2.5.27, 2.6.10, or later to close the exposed debug and management endpoints.

Proactive Monitoring: Security teams should review network logs for unauthorized connections to TCP port 9091 and inspect application logs for unusual activity on the /expr and /api/v1 endpoints.

Compensating Controls: Restrict network access to Milvus management ports using firewalls or VPNs, ensuring only trusted internal services can communicate with the database infrastructure.

Public Exploit Available: false

The severity of this vulnerability cannot be overstated, as it provides a direct path to total database compromise without authentication. Organizations utilizing Milvus for AI workloads must prioritize the application of the official security patches immediately to mitigate the risk of data exfiltration and manipulation.