Openviking
Monthly
Insufficient data authenticity verification in volcengine OpenViking's Local VectorDB Primary-key Label Handler (versions up to 0.3.21) allows a remote attacker with low-privilege access to manipulate the ID argument passed to the str_to_uint64 function, potentially enabling limited tampering with vector database primary-key label data. The attack vector is network-accessible but rated highly complex, with CVSS 4.0 score of 2.3 reflecting constrained, low-severity impact across confidentiality, integrity, and availability. No public exploit code exists and no active exploitation has been identified; an upstream fix is pending via an unmerged pull request.
OpenViking VikingBot OpenAPI routes permit unauthenticated remote attackers to execute privileged bot-control operations when the api_key configuration is unset or empty. Attackers can submit arbitrary prompts, manipulate bot sessions, and access downstream integrations, secrets, and data without providing valid X-API-Key authentication. Affects OpenViking versions ≤0.3.8; patched in commit c7bb167 (v0.3.9 release). No active exploitation confirmed (not in CISA KEV), but EPSS score of 0.11% suggests low observed exploitation probability. VulnCheck advisory and GitHub patch available.
OpenViking versions prior to 0.3.3 expose a missing authorization vulnerability in task polling endpoints that allows unauthenticated remote attackers to enumerate and retrieve background task metadata created by other users, exposing task types, status, resource identifiers, archive URIs, result payloads, and error information. This vulnerability enables information disclosure with a CVSS score of 6.9 and carries particular risk in multi-tenant deployments where cross-tenant data leakage could occur. No public exploit code has been identified at the time of analysis, though the vulnerability requires only network access and no special attack complexity.
OpenViking versions 0.2.5 through 0.2.13 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality via POST requests to /bot/v1/chat and /bot/v1/chat/stream endpoints, enabling direct interaction with the upstream bot backend without valid credentials. The vulnerability has a moderate CVSS score of 6.9 due to network accessibility and low confidentiality impact, with public fix availability as of version 0.2.14 reducing immediate risk for patched deployments.
OpenViking 0.2.1 and earlier contain a path traversal vulnerability in .ovpack file imports that enables local attackers to write arbitrary files outside the intended directory by crafting malicious ZIP archives with traversal sequences or absolute paths. An attacker with user interaction can overwrite or create files with the privileges of the importing process, potentially leading to code execution or system compromise. No patch is currently available for this vulnerability.
Insufficient data authenticity verification in volcengine OpenViking's Local VectorDB Primary-key Label Handler (versions up to 0.3.21) allows a remote attacker with low-privilege access to manipulate the ID argument passed to the str_to_uint64 function, potentially enabling limited tampering with vector database primary-key label data. The attack vector is network-accessible but rated highly complex, with CVSS 4.0 score of 2.3 reflecting constrained, low-severity impact across confidentiality, integrity, and availability. No public exploit code exists and no active exploitation has been identified; an upstream fix is pending via an unmerged pull request.
OpenViking VikingBot OpenAPI routes permit unauthenticated remote attackers to execute privileged bot-control operations when the api_key configuration is unset or empty. Attackers can submit arbitrary prompts, manipulate bot sessions, and access downstream integrations, secrets, and data without providing valid X-API-Key authentication. Affects OpenViking versions ≤0.3.8; patched in commit c7bb167 (v0.3.9 release). No active exploitation confirmed (not in CISA KEV), but EPSS score of 0.11% suggests low observed exploitation probability. VulnCheck advisory and GitHub patch available.
OpenViking versions prior to 0.3.3 expose a missing authorization vulnerability in task polling endpoints that allows unauthenticated remote attackers to enumerate and retrieve background task metadata created by other users, exposing task types, status, resource identifiers, archive URIs, result payloads, and error information. This vulnerability enables information disclosure with a CVSS score of 6.9 and carries particular risk in multi-tenant deployments where cross-tenant data leakage could occur. No public exploit code has been identified at the time of analysis, though the vulnerability requires only network access and no special attack complexity.
OpenViking versions 0.2.5 through 0.2.13 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality via POST requests to /bot/v1/chat and /bot/v1/chat/stream endpoints, enabling direct interaction with the upstream bot backend without valid credentials. The vulnerability has a moderate CVSS score of 6.9 due to network accessibility and low confidentiality impact, with public fix availability as of version 0.2.14 reducing immediate risk for patched deployments.
OpenViking 0.2.1 and earlier contain a path traversal vulnerability in .ovpack file imports that enables local attackers to write arbitrary files outside the intended directory by crafting malicious ZIP archives with traversal sequences or absolute paths. An attacker with user interaction can overwrite or create files with the privileges of the importing process, potentially leading to code execution or system compromise. No patch is currently available for this vulnerability.