9.8
CVE-2026-22207
- EPSS 0.43%
- Veröffentlicht 26.02.2026 20:34:30
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle disclosure@vulncheck.com
- CVE-Watchlists
- Unerledigt
OpenViking Missing root_api_key Allows Anonymous ROOT Access
OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerVolcengine
≫
Produkt
OpenViking
Default Statusunaffected
Version <=
0.1.18
Version
0
Status
affected
Version
0251c7045b3f8092c4d2e1565115b1ba23db282f
Status
unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.43% | 0.342 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| disclosure@vulncheck.com | 9.3 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| disclosure@vulncheck.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-306 Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
https://github.com/volcengine/OpenViking/issues/302
https://github.com/volcengine/OpenViking/pull/310
https://www.vulncheck.com/advisories/openviking-missing-root-api-key-allows-anonymous-root-access
https://github.com/volcengine/OpenViking/commit/0251c7045b3f8092c4d2e1565115b1ba23db282f