CVE-2026-40525

EPSS 0.11%
Veröffentlicht 17.04.2026 18:19:12
Zuletzt bearbeitet 17.04.2026 19:16:39
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

OpenViking prior to commit c7bb167 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke privileged bot-control functionality without providing a valid X-API-Key header, including submitting attacker-controlled prompts, creating or using bot sessions, and accessing downstream tools, integrations, secrets, or data accessible to the bot.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellervolcengine

≫

Produkt OpenViking

Default Statusunaffected

Version <= 0.3.8

Version 0

Status affected

Version c7bb1676f4d037609f041bf39e4e2bd52e8f9820

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.292

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
disclosure@vulncheck.com	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
disclosure@vulncheck.com	9.1	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-636 Not Failing Securely ('Failing Open')

When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.

https://github.com/volcengine/OpenViking/pull/1447

https://github.com/volcengine/OpenViking/commit/c7bb1676f4d037609f041bf39e4e2bd52e8f9820

https://www.vulncheck.com/advisories/openviking-authentication-bypass-via-vikingbot-openapi

https://nvd.nist.gov/vuln/detail/CVE-2026-40525

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40525

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40525

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-40525