CVE-2026-22207

9.8 CRITICAL
Published: February 26, 2026 Modified: March 02, 2026
View on NVD

Description

OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/volcengine/OpenViking/issues/302
Source: disclosure@vulncheck.com
https://github.com/volcengine/OpenViking/pull/310
Source: disclosure@vulncheck.com
https://github.com/volcengine/OpenViking/pull/310/changes/0251c7045b3f8092c4d2e1565115b1ba23db282f
Source: disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openviking-missing-root-api-key-allows-anonymous-root-access
Source: disclosure@vulncheck.com
https://github.com/volcengine/OpenViking/issues/302
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.8 / 10.0
EPSS (Exploit Probability)
0.2%
43th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-306

Related CVEs

CVE-2026-4519 N/A
CVE-2026-4487 8.8
CVE-2026-33312 N/A
CVE-2026-29794 5.3
CVE-2026-22172 9.9