This tracks with what I've been seeing. Milvus alone had two nasty CVEs recently, one was a full auth bypass on the proxy component and the other was unauthenticated debug endpoints exposed on default ports with a predictable auth token. People are spinning up these vector DBs the same way they used to spin up Elasticsearch clusters in 2015, default configs, no auth, straight to the internet. We learned this lesson already and apparently forgot it.

The 2015 Elasticsearch comparison is the same 'rush to prod' mistake, but with a much worse blast radius. With ES, an attacker still had to figure out your index structure, but with an open vector DB, they can just semantically query for 'production API keys' and the database hands them over. Those recent Milvus CVEs just prove that the perimeter always fails eventually via zero-days or bad configs, which is exactly why we are building EchelonGraph. You have to assume the infrastructure will get exposed at some point, so if you aren't using encapsulation at the source to make the actual payload mathematically useless to an attacker. It's really just a matter of time before it leaks.