AIKIDO-2026-10101
github.com/milvus-io/milvus/pkg/v2 is vulnerable to Improper Input Validation
50
Medium Risk
This Affects:
github.com/milvus-io/milvus/pkg/v2TL;DR
Affected versions of this package are vulnerable to Remote Expression Execution via the Internal Expression Evaluation Endpoint, where the internal HTTP server's /expr endpoint, which compiles and executes user-supplied Go expressions from the code parameter, can be exploited if the server is inadvertently exposed or if the low-entropy default authentication secret (by-dev) is guessed or leaked, allowing an attacker to execute arbitrary logic within the server's context, such as calling exposed functions like param.Get() or param.Save() to read or manipulate configuration, leading to information disclosure, system compromise, or denial-of-service.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/milvus-io/milvus/pkg/v2 is vulnerable to Improper Input Validation in versions 2.6.0 - 2.6.8 and 2.5.0 - 2.5.25.
How to fix this
Upgrade the github.com/milvus-io/milvus/pkg/v2 library to a patch version.
Links
GitHub Release
Related Issues
github.com/milvus-io/milvus/issues/46442github.com/milvus-io/milvus/issues/46442#issue-3743414836github.com/milvus-io/milvus/issues/46442#issuecomment-3672197450
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant