Description
OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication to expose task type, task status, resource identifiers, archive URIs, result payloads, and error information, potentially causing cross-tenant interference in multi-tenant deployments.
Published: 2026-04-07
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data exposure
Action: Immediate Patch
AI Analysis

Impact

OpenViking versions prior to 0.3.3 contain a missing authorization check on the task polling routes. The flaw permits unauthenticated callers to enumerate or retrieve background task metadata, including task type, status, associated resource identifiers, archive URIs, result payloads, and error information. The lack of access control can lead to cross‑tenant interference and the disclosure of confidential data in multi‑tenant deployments.

Affected Systems

The Volcengine OpenViking component is affected. All releases older than version 0.3.3 are vulnerable and must be upgraded to a patched build.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while an EPSS score below 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending unauthenticated HTTP requests to the /api/v1/tasks and /api/v1/tasks/{task_id} endpoints. Because the endpoint is publicly accessible, automated scanners could enumerate tasks across tenants, potentially leaking sensitive information.

Generated by OpenCVE AI on April 14, 2026 at 17:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenViking to version 0.3.3 or later
  • Restrict network access to the /api/v1/tasks endpoints to trusted IP ranges
  • Enable authentication on the API if not already configured
  • Monitor API logs for unexpected or repeated task polling activity

Generated by OpenCVE AI on April 14, 2026 at 17:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h336-2wxm-pr6q OpenViking contains a missing authorization vulnerability in the task polling endpoints
History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:volcengine:openviking:*:*:*:*:*:*:*:*

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Volcengine
Volcengine openviking
Vendors & Products Volcengine
Volcengine openviking
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication to expose task type, task status, resource identifiers, archive URIs, result payloads, and error information, potentially causing cross-tenant interference in multi-tenant deployments.
Title OpenViking < 0.3.3 Missing Authorization via Task Polling
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Volcengine Openviking
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-08T18:49:10.725Z

Reserved: 2026-01-08T19:04:26.365Z

Link: CVE-2026-22680

cve-icon Vulnrichment

Updated: 2026-04-08T18:48:59.171Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T18:16:38.853

Modified: 2026-04-14T16:16:31.870

Link: CVE-2026-22680

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses