6.9
CVE-2026-34999
- EPSS 0.42%
- Veröffentlicht 01.04.2026 13:30:30
- Zuletzt bearbeitet 07.04.2026 16:37:04
- Quelle disclosure@vulncheck.com
- CVE-Watchlists
- Unerledigt
LoginOpenViking 0.2.5 < 0.2.14 Bot Proxy Endpoints Allow Unauthenticated Access
OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/v1/chat and POST /bot/v1/chat/stream endpoints. Attackers can bypass authentication checks and interact directly with the upstream bot backend through the OpenViking proxy without providing valid credentials.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Volcengine ≫ Openviking Version >= 0.2.5 < 0.2.14
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.42% | 0.332 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| disclosure@vulncheck.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
| disclosure@vulncheck.com | 6.9 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-306 Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
https://github.com/volcengine/OpenViking/releases/tag/v0.2.14
https://github.com/volcengine/OpenViking/pull/996
https://github.com/volcengine/OpenViking/commit/27acda8d1701ff68423fbd6c902208e3c1ed9373
https://www.vulncheck.com/advisories/openviking-bot-proxy-endpoints-allow-unauthenticated-access