EUVD-2026-23464
GHSA-jgq2-vq69-gr6h
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionNVD
OpenViking prior to commit c7bb167 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke privileged bot-control functionality without providing a valid X-API-Key header, including submitting attacker-controlled prompts, creating or using bot sessions, and accessing downstream tools, integrations, secrets, or data accessible to the bot.
AnalysisAI
Authentication bypass in OpenViking's VikingBot OpenAPI allows remote unauthenticated attackers to invoke privileged bot-control functions when the api_key configuration is unset or empty. Attackers can submit arbitrary prompts, create bot sessions, and access downstream tools, integrations, secrets, and data without providing valid X-API-Key headers. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Verify whether VikingBot is deployed in your environment and confirm current api_key configuration status-if unset or empty, immediately isolate affected instances from production. Within 7 days: Apply vendor patch (commit c7bb167 per GitHub PR #1447) to all VikingBot deployments and enforce mandatory non-empty api_key values in all configurations. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today