CVE-2026-22207

CRITICAL 9.8

OpenViking Missing root_api_key Allows Anonymous ROOT Access

CVSS Score

9.8

EPSS Score

0.3%

EPSS Percentile

53th

OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.

CWE	CWE-306
Vendor	volcengine
Product	openviking
Published	Feb 26, 2026
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for volcengine openviking

Be the first to know when new critical vulnerabilities affecting volcengine openviking are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Volcengine / OpenViking

0 ≤ 0.1.18

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/volcengine/OpenViking/issues/302 github.com: https://github.com/volcengine/OpenViking/pull/310 github.com: https://github.com/volcengine/OpenViking/commit/0251c7045b3f8092c4d2e1565115b1ba23db282f vulncheck.com: https://www.vulncheck.com/advisories/openviking-missing-root-api-key-allows-anonymous-root-access

Credits

Chia Min Jun Lennon