CVE-2026-40525

9.1 CRITICAL
Published: April 17, 2026 Modified: May 05, 2026
View on NVD

Description

OpenViking prior to version 0.3.9ย contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke privileged bot-control functionality without providing a valid X-API-Key header, including submitting attacker-controlled prompts, creating or using bot sessions, and accessing downstream tools, integrations, secrets, or data accessible to the bot.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/volcengine/OpenViking/commit/c7bb1676f4d037609f041bf39e4e2bd52e8f9820
Source: disclosure@vulncheck.com
Patch
https://github.com/volcengine/OpenViking/pull/1447
Source: disclosure@vulncheck.com
Exploit Patch Vendor Advisory
https://github.com/volcengine/OpenViking/releases/tag/v0.3.9
Source: disclosure@vulncheck.com
Release Notes
https://www.vulncheck.com/advisories/openviking-authentication-bypass-via-vikingbot-openapi
Source: disclosure@vulncheck.com
Third Party Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.1 / 10.0
EPSS (Exploit Probability)
0.1%
33th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-636

Affected Vendors

volcengine

Related CVEs

CVE-2026-7855 8.8
CVE-2026-7854 9.8
CVE-2026-42997 7.7
CVE-2026-38428 N/A
CVE-2026-31835 N/A