Skip to main content

Openviking CVE-2026-22680

| EUVDEUVD-2026-19744 MEDIUM
Missing Authorization (CWE-862)
2026-04-07 VulnCheck GHSA-h336-2wxm-pr6q
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 07, 2026 - 18:00 euvd
EUVD-2026-19744
Analysis Generated
Apr 07, 2026 - 18:00 vuln.today
Patch released
Apr 07, 2026 - 18:00 nvd
Patch available
CVE Published
Apr 07, 2026 - 17:08 nvd
MEDIUM 6.9

DescriptionCVE.org

OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication to expose task type, task status, resource identifiers, archive URIs, result payloads, and error information, potentially causing cross-tenant interference in multi-tenant deployments.

AnalysisAI

OpenViking versions prior to 0.3.3 expose a missing authorization vulnerability in task polling endpoints that allows unauthenticated remote attackers to enumerate and retrieve background task metadata created by other users, exposing task types, status, resource identifiers, archive URIs, result payloads, and error information. This vulnerability enables information disclosure with a CVSS score of 6.9 and carries particular risk in multi-tenant deployments where cross-tenant data leakage could occur. No public exploit code has been identified at the time of analysis, though the vulnerability requires only network access and no special attack complexity.

Technical ContextAI

OpenViking is a ByteDance Volcano Engine component (CPE: cpe:2.3:a:volcengine:openviking:*:*:*:*:*:*:*:*) that implements task polling functionality via REST API endpoints. The vulnerability stems from a missing authorization control (CWE-862: Missing Authorization) on the /api/v1/tasks and /api/v1/tasks/{task_id} routes, which should enforce authentication before returning task metadata. In multi-tenant architectures, these endpoints fail to validate whether the requesting user owns or has permission to access task objects before returning detailed information about task execution state, results, and associated resources. The CVSS vector confirms unauthenticated access (PR:N) with network reach (AV:N) and low attack complexity (AC:L), meaning the authorization check is entirely absent rather than weak.

RemediationAI

Vendor-released patch: OpenViking 0.3.3 and later. Upgrade immediately to version 0.3.3 or newer from the official GitHub repository (https://github.com/volcengine/OpenViking/releases/tag/v0.3.3). The upstream fix (commit 8c1c3f3608364ee0bb0e45f73478771a68aebdf5 and PR #1182) implements proper authorization checks on task polling endpoints to enforce authentication and ownership validation. Pending patch deployment, implement network-level access controls to restrict /api/v1/tasks and /api/v1/tasks/{task_id} endpoint access to authenticated internal clients only; however, this is a temporary workaround and patching is required for full remediation. Consult VulnCheck advisory at https://www.vulncheck.com/advisories/openviking-missing-authorization-via-task-polling for additional context.

Share

CVE-2026-22680 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy