Description
OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/v1/chat and POST /bot/v1/chat/stream endpoints. Attackers can bypass authentication checks and interact directly with the upstream bot backend through the OpenViking proxy without providing valid credentials.
Published: 2026-04-01
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Bot Proxy
Action: Patch
AI Analysis

Impact

OpenViking versions from 0.2.5 up to but not including 0.2.14 contain a missing authentication check in the bot proxy router, a weakness categorized as CWE‑306. This allows attackers to send POST requests to /bot/v1/chat and /bot/v1/chat/stream without authentication and directly interact with the upstream bot backend protected by OpenViking. By exploiting this flaw, an adversary can issue arbitrary bot queries, retrieve responses, or abuse bot functionality without needing valid credentials.

Affected Systems

The vulnerability affects Volcengine’s OpenViking product in all releases from version 0.2.5 through 0.2.13. Any deployment running one of these releases is susceptible to unauthenticated exploitation of the bot proxy endpoints.

Risk and Exploitability

The CVSS score of 6.9 indicates a Medium‑to‑High impact. The EPSS score is below 1%, suggesting a low likelihood of widespread exploitation at present, and the flaw is not listed in the CISA KEV catalog. Attacks require only simple HTTP POST requests to the specified endpoints and can be performed remotely without credentials, making the attack vector trivial for anyone with network access to the service.

Generated by OpenCVE AI on April 7, 2026 at 23:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenViking to version 0.2.14 or later.

Generated by OpenCVE AI on April 7, 2026 at 23:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:volcengine:openviking:*:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Volcengine
Volcengine openviking
Vendors & Products Volcengine
Volcengine openviking

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/v1/chat and POST /bot/v1/chat/stream endpoints. Attackers can bypass authentication checks and interact directly with the upstream bot backend through the OpenViking proxy without providing valid credentials.
Title OpenViking 0.2.5 < 0.2.14 Bot Proxy Endpoints Allow Unauthenticated Access
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Volcengine Openviking
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T20:27:23.849Z

Reserved: 2026-03-31T20:40:15.617Z

Link: CVE-2026-34999

cve-icon Vulnrichment

Updated: 2026-04-01T20:27:07.690Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T14:16:55.947

Modified: 2026-04-07T16:37:04.470

Link: CVE-2026-34999

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:59:47Z

Weaknesses