Skip to main content

Openviking CVE-2026-34999

| EUVDEUVD-2026-17905 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-04-01 disclosure@vulncheck.com
6.9
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (vulncheck) · only source for this CVE.

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
0.2.14
EUVD ID Assigned
Apr 01, 2026 - 14:22 euvd
EUVD-2026-17905
Analysis Generated
Apr 01, 2026 - 14:22 vuln.today
CVE Published
Apr 01, 2026 - 14:16 nvd
MEDIUM 6.9

DescriptionCVE.org

OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/v1/chat and POST /bot/v1/chat/stream endpoints. Attackers can bypass authentication checks and interact directly with the upstream bot backend through the OpenViking proxy without providing valid credentials.

AnalysisAI

OpenViking versions 0.2.5 through 0.2.13 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality via POST requests to /bot/v1/chat and /bot/v1/chat/stream endpoints, enabling direct interaction with the upstream bot backend without valid credentials. The vulnerability has a moderate CVSS score of 6.9 due to network accessibility and low confidentiality impact, with public fix availability as of version 0.2.14 reducing immediate risk for patched deployments.

Technical ContextAI

OpenViking is a bot proxy platform that intermediates requests to upstream bot backends. The vulnerability stems from CWE-306 (Missing Authentication Check), where the bot proxy router fails to validate authentication credentials on two critical API endpoints designed to handle chat interactions. The affected endpoints (POST /bot/v1/chat and POST /bot/v1/chat/stream) are intended to be protected but lack proper authentication gates, allowing any network-accessible attacker to bypass credential validation. This affects OpenViking versions 0.2.5 through 0.2.13 as identified in the GitHub release tag v0.2.14, which contains the upstream remediation via commit 27acda8d1701ff68423fbd6c902208e3c1ed9373 and pull request #996.

RemediationAI

Upgrade OpenViking to version 0.2.14 or later, which includes the authentication fix released via commit 27acda8d1701ff68423fbd6c902208e3c1ed9373 (merged in pull request #996). Organizations unable to upgrade immediately should implement network-level access controls to restrict access to the /bot/v1/chat and /bot/v1/chat/stream endpoints to trusted sources only, or disable the bot proxy endpoints if not required. Additional details are available in the vendor advisory at https://www.vulncheck.com/advisories/openviking-bot-proxy-endpoints-allow-unauthenticated-access.

Share

CVE-2026-34999 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy