Broken Access Control Vulnerability in OpenViking by Volcengine
CVE-2026-22207

9.3CRITICAL

Key Information:

Vendor

Volcengine

Status
Openviking
Vendor
CVE Published:
26 February 2026

What is CVE-2026-22207?

OpenViking, prior to version 0.1.18 and before commit 0251c70, features a broken access control flaw that permits unauthenticated attackers to obtain ROOT privileges when the root_api_key configuration is not set. This vulnerability allows unauthorized individuals to send requests to protected endpoints without the need for authentication headers. Such unauthorized access can result in the manipulation of critical administrative functions, including account management, resource operations, and system configuration, posing significant risks to the application's integrity and security.

Affected Version(s)

OpenViking 0 <= 0.1.18

OpenViking 0251c7045b3f8092c4d2e1565115b1ba23db282f

References

https://github.com/volcengine/OpenViking/issues/302
issue-tracking
https://github.com/volcengine/OpenViking/pull/310
vendor-advisory
https://github.com/volcengine/OpenViking/commit/0251c7045...
patch

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chia Min Jun Lennon
.