CVE-2026-22207

OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/volcengine/OpenViking/issues/302
https://github.com/volcengine/OpenViking/pull/310
https://github.com/volcengine/OpenViking/pull/310/changes/0251c7045b3f8092c4d2e1565115b1ba23db282f
https://www.vulncheck.com/advisories/openviking-missing-root-api-key-allows-anonymous-root-access
https://github.com/volcengine/OpenViking/issues/302

Configurations

No configuration.

History

No history.

Information

Published : 2026-02-26 21:28

Updated : 2026-03-02 21:16

NVD link : CVE-2026-22207

Mitre link : CVE-2026-22207

CVE.ORG link : CVE-2026-22207

JSON object : View

Products Affected

No product.

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2026-22207", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-26T21:28:52.570", "references": [{"url": "https://github.com/volcengine/OpenViking/issues/302", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/volcengine/OpenViking/pull/310", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/volcengine/OpenViking/pull/310/changes/0251c7045b3f8092c4d2e1565115b1ba23db282f", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/openviking-missing-root-api-key-allows-anonymous-root-access", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/volcengine/OpenViking/issues/302", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "OpenViking through version 0.1.18, prior to commit\u00a00251c70,\u00a0contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration."}, {"lang": "es", "value": "OpenViking hasta la versi\u00f3n 0.1.18, anterior al commit 0251c70, contiene una vulnerabilidad de control de acceso roto que permite a atacantes no autenticados obtener privilegios ROOT cuando se omite la configuraci\u00f3n root_api_key. Los atacantes pueden enviar solicitudes a puntos finales protegidos sin encabezados de autenticaci\u00f3n para acceder a funciones administrativas, incluyendo la gesti\u00f3n de cuentas, operaciones de recursos y la configuraci\u00f3n del sistema."}], "lastModified": "2026-03-02T21:16:26.037", "sourceIdentifier": "disclosure@vulncheck.com"}