Missing Authorization Vulnerability in OpenViking Product by Volcengine
CVE-2026-22680

6.9MEDIUM

Key Information:

Vendor

Volcengine

Status
Openviking
Vendor
CVE Published:
7 April 2026

What is CVE-2026-22680?

OpenViking versions before 0.3.3 are vulnerable to a missing authorization issue within the task polling endpoints. This vulnerability permits unauthorized users to access sensitive task metadata through the /api/v1/tasks and /api/v1/tasks/{task_id} endpoints without proper authentication. The exposed information includes task types, statuses, resource identifiers, archive URIs, result payloads, and error messages, potentially leading to cross-tenant interference in environments that rely on multi-tenancy.

Affected Version(s)

OpenViking 0 < 0.3.3

OpenViking 8c1c3f3608364ee0bb0e45f73478771a68aebdf5

References

https://github.com/volcengine/OpenViking/releases/tag/v0.3.3
release-notes
https://github.com/volcengine/OpenViking/pull/1182
issue-tracking
https://github.com/volcengine/OpenViking/commit/8c1c3f360...
patch

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chia Min Jun Lennon
.