CVE-2026-40525

CRITICAL 9.1

OpenViking < 0.3.9 Authentication Bypass via VikingBot OpenAPI

CVSS Score

9.1

EPSS Score

0.1%

EPSS Percentile

29th

OpenViking prior to version 0.3.9 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke privileged bot-control functionality without providing a valid X-API-Key header, including submitting attacker-controlled prompts, creating or using bot sessions, and accessing downstream tools, integrations, secrets, or data accessible to the bot.

CWE	CWE-636
Vendor	volcengine
Product	openviking
Published	Apr 17, 2026
Last Updated	Apr 21, 2026

Stay Ahead of the Next One

Get instant alerts for volcengine openviking

Be the first to know when new critical vulnerabilities affecting volcengine openviking are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

volcengine / OpenViking

0 < 0.3.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/volcengine/OpenViking/releases/tag/v0.3.9 github.com: https://github.com/volcengine/OpenViking/pull/1447 github.com: https://github.com/volcengine/OpenViking/commit/c7bb1676f4d037609f041bf39e4e2bd52e8f9820 vulncheck.com: https://www.vulncheck.com/advisories/openviking-authentication-bypass-via-vikingbot-openapi

Credits

Chia Min Jun Lennon