Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
OpenViking prior to commit c7bb167 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke privileged bot-control functionality without providing a valid X-API-Key header, including submitting attacker-controlled prompts, creating or using bot sessions, and accessing downstream tools, integrations, secrets, or data accessible to the bot.
AnalysisAI
OpenViking VikingBot OpenAPI routes permit unauthenticated remote attackers to execute privileged bot-control operations when the api_key configuration is unset or empty. Attackers can submit arbitrary prompts, manipulate bot sessions, and access downstream integrations, secrets, and data without providing valid X-API-Key authentication. Affects OpenViking versions ≤0.3.8; patched in commit c7bb167 (v0.3.9 release). No active exploitation confirmed (not in CISA KEV), but EPSS score of 0.11% suggests low observed exploitation probability. VulnCheck advisory and GitHub patch available.
Technical ContextAI
OpenViking is a Volcengine bot framework exposing HTTP OpenAPI routes for bot management and control. The vulnerability stems from CWE-636 (Not Failing Securely), where the authentication middleware fails open when the api_key configuration parameter is unset or empty string. Instead of denying access when authentication credentials are absent, the code permits requests through without validation. This is a classic example of a default-permit rather than default-deny security control. The CVSS v4.0 vector (AV:N/AC:L/AT:P/PR:N) indicates network-accessible exploitation with low complexity but present attack requirements (AT:P suggests configuration-dependent conditions). The affected component is specifically the VikingBot OpenAPI HTTP route handler, which manages bot session lifecycle, prompt submission, and integration access. CPE identifier cpe:2.3:a:volcengine:openviking confirms Volcengine as the vendor.
RemediationAI
Upgrade immediately to OpenViking v0.3.9 or later, which includes commit c7bb167 addressing the authentication bypass (https://github.com/volcengine/OpenViking/releases/tag/v0.3.9). For systems unable to upgrade immediately, implement these compensating controls: (1) Configure a strong api_key value in OpenViking configuration to force authentication check to execute properly - verify the configuration enforces X-API-Key header validation after setting this parameter. (2) Restrict network access to VikingBot OpenAPI HTTP endpoints using firewall rules or network segmentation, permitting only trusted management networks - this reduces attack surface but does not eliminate insider threat or lateral movement risk. (3) Deploy a reverse proxy with authentication enforcement (e.g., nginx with auth_request, API gateway with OAuth) in front of OpenViking endpoints - this adds defense-in-depth but introduces operational complexity and potential performance impact. Note that workarounds (2) and (3) do not fix the underlying fail-open logic and should be considered temporary measures only. Verify patch application by reviewing logs for authentication check behavior and testing that requests without X-API-Key headers are rejected. Audit existing bot configurations for unauthorized access during the vulnerability window.
More in Openviking
View allOpenViking 0.2.1 and earlier contain a path traversal vulnerability in .ovpack file imports that enables local attackers
OpenViking versions 0.2.5 through 0.2.13 contain a missing authentication vulnerability in the bot proxy router that all
OpenViking versions prior to 0.3.3 expose a missing authorization vulnerability in task polling endpoints that allows un
Insufficient data authenticity verification in volcengine OpenViking's Local VectorDB Primary-key Label Handler (version
Same weakness CWE-636 – Not Failing Securely ('Failing Open')
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23464
GHSA-jgq2-vq69-gr6h