Description
OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.
Published: 2026-02-26
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Root Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

OpenViking versions up to 0.1.18 contain a broken access control flaw that lets unauthenticated users obtain ROOT privileges when the root_api_key setting is absent. The flaw permits attackers to send calls to protected administrative endpoints without any authentication header, enabling them to manage accounts, perform resource operations, and modify system configuration.

Affected Systems

The vulnerability affects all installations of Volcengine OpenViking through version 0.1.18, i.e., any deployment running 0.1.18 or earlier. No newer versions are explicitly listed as affected, and the patch commit is available in the repository history.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity, yet the EPSS score is less than 1%, suggesting a very low current exploitation probability. The vulnerability is not in the CISA KEV catalog. Attackers would need to send HTTP requests to the OpenViking API’s protected endpoints without authentication headers, a step that can be inferred from the description.

Generated by OpenCVE AI on April 15, 2026 at 20:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenViking to a version newer than 0.1.18 or apply the patch commit 0251c7045b3f8092c4d2e1565115b1ba23db282f that restores required root_api_key authentication.
  • Configure a non‑empty root_api_key in the OpenViking configuration file to enforce authentication on all privileged endpoints.
  • If an upgrade or patch cannot be applied immediately, restrict network access to the administrative API endpoints using firewall or network segmentation rules to block unauthenticated traffic.

Generated by OpenCVE AI on April 15, 2026 at 20:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
References

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Volcengine
Volcengine openviking
Vendors & Products Volcengine
Volcengine openviking

Thu, 26 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.
Title OpenViking Missing root_api_key Allows Anonymous ROOT Access
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Volcengine Openviking
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T17:18:28.699Z

Reserved: 2026-01-06T16:47:17.186Z

Link: CVE-2026-22207

cve-icon Vulnrichment

Updated: 2026-03-02T20:55:11.254Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T21:28:52.570

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22207

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:15:13Z

Weaknesses