CVE-2026-10814
Weak Hash Usage in Milvus up to 2.6.13
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| milvus-io | milvus | to 2.6.13 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-328 | The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). |
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10814 is a security vulnerability in Milvus's Role-Based Access Control (RBAC) system involving the grantee ID hash handler. The vulnerability arises because the grantee ID, which binds privileges to roles, is generated using a truncated MD5 hash (64-bit) instead of the full 128-bit hash. This truncation weakens the collision resistance of the identifier, making it possible for attackers to exploit hash collisions to forge privilege bindings between different roles.
By manipulating the grantee ID values stored in etcd metadata locally, an attacker can cause a victim role to inherit the privileges of another role, effectively bypassing RBAC restrictions. This can allow unauthorized actions such as inserting data into collections that the victim role should not have access to. The root cause is the use of a non-cryptographically secure truncated hash for a security-sensitive identifier, violating best practices for session and privilege management.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized privilege escalation within the Milvus system. An attacker with local access can exploit hash collisions in the truncated grantee ID to forge privilege bindings, causing a victim role to inherit permissions from another role.
- Unauthorized access to data collections that should be restricted.
- Bypassing Role-Based Access Control (RBAC) restrictions.
- Potential insertion or modification of data by unauthorized users.
Overall, this can compromise the integrity and confidentiality of data managed by Milvus.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves manipulation of the grantee-id values in Milvus's etcd metadata, which is used for Role-Based Access Control (RBAC). Detection would require inspecting the grantee-id hashes stored in etcd to identify if truncated MD5 hashes (64-bit) are being used instead of full-length 128-bit hashes.
Since the attack needs to be performed locally and involves privilege forgery by exploiting hash collisions, detection might involve checking for unusual privilege escalations or unauthorized access to collections.
No explicit detection commands are provided in the resources. However, administrators can examine the etcd metadata related to RBAC grantee IDs and verify if the grantee IDs are using the legacy truncated 16-hex format instead of the full 32-hex MD5 digest.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to apply the patch identified by commit 3d932f1c3e065351c4440c27abe1e6479752544d, which fixes the vulnerability by switching from truncated 64-bit MD5 hashes to full-length 128-bit MD5 hashes for grantee IDs.
This patch includes hardened legacy grantee ID ownership checks, lazy migration of legacy IDs to full-length IDs, fail-closed behavior for shared legacy IDs, and removal of stale legacy metadata to prevent privilege escalation.
Since the attack complexity is high and exploitability is difficult, applying the patch promptly and restarting the Milvus service to ensure the new grantee ID format is enforced will mitigate the risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Milvus's RBAC system involves the use of a truncated MD5 hash for grantee IDs, which weakens the collision resistance of privilege bindings. This weakness can allow attackers to forge privilege bindings and gain unauthorized access to data.
Such unauthorized access and privilege escalation can lead to violations of data protection principles required by standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of sensitive data.
Because the vulnerability undermines the integrity of access control mechanisms, it poses a risk to compliance with these regulations by potentially allowing unauthorized data access or modification.
Applying the patch that replaces the truncated hash with a full-length cryptographically secure hash is necessary to restore proper access control and help maintain compliance with these standards.