CVE-2026-10814
Analyzed Analyzed - Analysis Complete
Weak Hash Usage in Milvus up to 2.6.13

Publication date: 2026-06-04

Last updated on: 2026-06-10

Assigner: VulDB

Description
A vulnerability has been found in milvus-io milvus up to 2.6.13. This vulnerability affects unknown code of the file internal/metastore/kv/rootcoord/kv_catalog.go of the component Grantee ID Hash Handler. The manipulation leads to use of weak hash. The attack needs to be performed locally. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 3d932f1c3e065351c4440c27abe1e6479752544d. Applying a patch is the recommended action to fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-10
Generated
2026-06-12
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-11
NVD
CVE-2026-10814
EUVD
EUVD-2026-34292
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
milvus milvus to 2.6.13 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-328 The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Milvus's RBAC system involves the use of a truncated MD5 hash for grantee IDs, which weakens the collision resistance of privilege bindings. This weakness can allow attackers to forge privilege bindings and gain unauthorized access to data.

Such unauthorized access and privilege escalation can lead to violations of data protection principles required by standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of sensitive data.

Because the vulnerability undermines the integrity of access control mechanisms, it poses a risk to compliance with these regulations by potentially allowing unauthorized data access or modification.

Applying the patch that replaces the truncated hash with a full-length cryptographically secure hash is necessary to restore proper access control and help maintain compliance with these standards.

Executive Summary

CVE-2026-10814 is a security vulnerability in Milvus's Role-Based Access Control (RBAC) system involving the grantee ID hash handler. The vulnerability arises because the grantee ID, which binds privileges to roles, is generated using a truncated MD5 hash (64-bit) instead of the full 128-bit hash. This truncation weakens the collision resistance of the identifier, making it possible for attackers to exploit hash collisions to forge privilege bindings between different roles.

By manipulating the grantee ID values stored in etcd metadata locally, an attacker can cause a victim role to inherit the privileges of another role, effectively bypassing RBAC restrictions. This can allow unauthorized actions such as inserting data into collections that the victim role should not have access to. The root cause is the use of a non-cryptographically secure truncated hash for a security-sensitive identifier, violating best practices for session and privilege management.

Impact Analysis

This vulnerability can lead to unauthorized privilege escalation within the Milvus system. An attacker with local access can exploit hash collisions in the truncated grantee ID to forge privilege bindings, causing a victim role to inherit permissions from another role.

  • Unauthorized access to data collections that should be restricted.
  • Bypassing Role-Based Access Control (RBAC) restrictions.
  • Potential insertion or modification of data by unauthorized users.

Overall, this can compromise the integrity and confidentiality of data managed by Milvus.

Detection Guidance

This vulnerability involves manipulation of the grantee-id values in Milvus's etcd metadata, which is used for Role-Based Access Control (RBAC). Detection would require inspecting the grantee-id hashes stored in etcd to identify if truncated MD5 hashes (64-bit) are being used instead of full-length 128-bit hashes.

Since the attack needs to be performed locally and involves privilege forgery by exploiting hash collisions, detection might involve checking for unusual privilege escalations or unauthorized access to collections.

No explicit detection commands are provided in the resources. However, administrators can examine the etcd metadata related to RBAC grantee IDs and verify if the grantee IDs are using the legacy truncated 16-hex format instead of the full 32-hex MD5 digest.

Mitigation Strategies

The recommended immediate mitigation is to apply the patch identified by commit 3d932f1c3e065351c4440c27abe1e6479752544d, which fixes the vulnerability by switching from truncated 64-bit MD5 hashes to full-length 128-bit MD5 hashes for grantee IDs.

This patch includes hardened legacy grantee ID ownership checks, lazy migration of legacy IDs to full-length IDs, fail-closed behavior for shared legacy IDs, and removal of stale legacy metadata to prevent privilege escalation.

Since the attack complexity is high and exploitability is difficult, applying the patch promptly and restarting the Milvus service to ensure the new grantee ID format is enforced will mitigate the risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10814. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart