MEDIUM 4.5

CVE-2026-10814: Weak Hash Implementation in Milvus Grantee ID Handler

Milvus, a popular vector database, contains a weakness in how it generates hash identifiers for grantee access control. An attacker with local access and sufficient privileges could exploit weak cryptographic hashing in the Grantee ID Hash Handler to potentially forge or predict access control identifiers, leading to unauthorized data access or modification. The vulnerability requires high technical complexity to exploit and is rated as medium severity.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.5 MEDIUM · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-327, CWE-328
Affected products
1 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

A vulnerability has been found in milvus-io milvus up to 2.6.13. This vulnerability affects unknown code of the file internal/metastore/kv/rootcoord/kv_catalog.go of the component Grantee ID Hash Handler. The manipulation leads to use of weak hash. The attack needs to be performed locally. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 3d932f1c3e065351c4440c27abe1e6479752544d. Applying a patch is the recommended action to fix this issue.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10814 stems from insufficient cryptographic practices in milvus/internal/metastore/kv/rootcoord/kv_catalog.go, specifically within the Grantee ID Hash Handler component. The code uses a weak hash function (CWE-327: Use of Broken or Risky Cryptographic Algorithm; CWE-328: Use of Insufficiently Random Values) to generate identifiers for access control grantees. An authenticated local attacker could potentially predict or collide hash outputs, undermining the integrity of role-based access controls. The CVSS 3.1 score of 4.5 (MEDIUM) reflects the requirement for local access and elevated privileges, combined with high attack complexity.

Business impact

Organizations running Milvus clusters face potential insider threats or privilege escalation scenarios. A compromised or malicious privileged user could manipulate grantee identifiers to gain unauthorized access to vector data or metadata, risking data confidentiality and integrity. In regulated environments handling sensitive embeddings (healthcare, financial services, personally identifiable information), this could lead to compliance violations and data breach liability.

Affected systems

Milvus versions up to and including 2.6.13 are affected. The vulnerability resides in the key-value metadata store layer used by the root coordinator component, which manages cluster-wide access controls. Any Milvus deployment using affected versions is in scope; the risk is highest in multi-tenant or shared cluster environments where access control isolation is critical.

Exploitability

Exploitation is difficult and requires local system access plus authenticated credentials with elevated privileges. An attacker must understand the hashing mechanism and have the ability to modify or interact with the key-value store. The attack complexity is rated as high, and no active exploitation has been reported in the wild as of the publication date. Public disclosure of the vulnerability has occurred, but the difficulty barrier limits opportunistic attacks.

Remediation

Apply the patch identified as commit 3d932f1c3e065351c4440c27abe1e6479752544d, which remediates the weak hash implementation in the Grantee ID Hash Handler. Verify the patch is incorporated into the next available Milvus release following version 2.6.13. Until patching is possible, restrict local access to Milvus cluster nodes and audit access control assignments to detect anomalies.

Patch guidance

Obtain and deploy the patch commit 3d932f1c3e065351c4440c27abe1e6479752544d to your Milvus installation. This update strengthens the cryptographic hash used for grantee identifiers. Test the patch in a non-production environment first, particularly if you maintain custom access control policies. After deployment, verify that existing grantee permissions remain consistent and that cluster operations resume normally. Consult the official Milvus advisory and release notes to confirm the patch's inclusion in a specific version release.

Detection guidance

Monitor Milvus logs and audit trails for unexpected changes to grantee assignments or access control entries, particularly modifications initiated by privileged accounts during unusual times. Check for patterns of hash collisions or repeated failed authentication attempts against vector collections. Use file integrity monitoring on the kv_catalog.go component and its compiled binary to detect tampering. If running Milvus in Kubernetes, inspect RBAC and network policies to restrict local access to cluster nodes.

Why prioritize this

Although the CVSS score is moderate (4.5), this vulnerability should be prioritized in environments where Milvus manages sensitive data or supports multi-tenant use cases. The high attack complexity and local access requirement lower the immediate risk for cloud-hosted managed Milvus services, but on-premise deployments and those with broad internal network access warrant prompt patching to prevent insider threats and privilege escalation.

Risk score, explained

The CVSS 3.1 score of 4.5 (MEDIUM) reflects: Attack Vector Local (AV:L), meaning the attacker must have local system access; Attack Complexity High (AC:H), indicating significant technical barriers and environmental conditions are required; Privileges Required (PR:L), demanding authenticated user credentials; no User Interaction (UI:N); unchanged Scope (S:U); and limited impact on Confidentiality, Integrity, and Availability (C:L/I:L/A:L). The score appropriately weights the insider threat model and high barrier to exploitation.

Frequently asked questions

Who is at risk from CVE-2026-10814?

Operators of Milvus 2.6.13 and earlier versions, especially those running multi-tenant or shared clusters. The risk is highest for organizations where multiple teams or applications share vector data and rely on access controls for isolation. Organizations with hostile insiders or compromised internal accounts face elevated risk.

Can this vulnerability be exploited remotely?

No. The attack vector is Local (AV:L), meaning the attacker must have direct access to the Milvus cluster node or its underlying system. Remote exploitation is not possible. However, any compromised service or user account with local access could attempt exploitation.

What should we do if we cannot patch immediately?

Implement compensating controls: restrict SSH/console access to Milvus nodes to trusted administrators only; audit and document all current grantee assignments; enable detailed logging of access control changes; and consider network segmentation to limit lateral movement if a privileged account is compromised. Plan patching as soon as a stable release incorporating the fix is available.

Does this affect Milvus cloud-managed deployments?

Many cloud providers manage patching centrally and may have already applied fixes. Verify with your Milvus service provider whether they are running versions prior to 2.6.13 and their patching timeline. Self-managed Milvus deployments on cloud infrastructure (EC2, GKE, AKS) require manual patching.

This analysis is provided for informational purposes and reflects publicly available information as of the publication and modification dates. SEC.co makes no warranty regarding the accuracy, completeness, or suitability of this content for any specific organization. Consult official Milvus security advisories, vendor documentation, and your own security team before making patching or deployment decisions. CVSS scores and vulnerability classifications are subject to change as additional information emerges. Organizations are responsible for assessing their own exposure and risk tolerance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).