Описание
OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.
OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2026-22207
- https://github.com/volcengine/OpenViking/issues/302
- https://github.com/volcengine/OpenViking/pull/310
- https://github.com/volcengine/OpenViking/pull/310/changes/0251c7045b3f8092c4d2e1565115b1ba23db282f
- https://github.com/volcengine/OpenViking/commit/0251c7045b3f8092c4d2e1565115b1ba23db282f
- https://www.vulncheck.com/advisories/openviking-missing-root-api-key-allows-anonymous-root-access
EPSS
9.3 Critical
CVSS4
9.8 Critical
CVSS3
CVE ID
Дефекты
Связанные уязвимости
OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.
EPSS
9.3 Critical
CVSS4
9.8 Critical
CVSS3