Missing Authentication in OpenViking Bot Proxy Router
CVE-2026-34999

6.9MEDIUM

Key Information:

Vendor: Volcengine
Status: Openviking
Vendor: CVE Published:; 1 April 2026

What is CVE-2026-34999?

OpenViking versions prior to 0.2.14 contain a flaw in the bot proxy router allowing remote unauthenticated attackers to access protected endpoints. By exploiting this vulnerability, attackers can bypass authentication mechanisms and interact with the upstream bot backend through specified endpoints without needing valid credentials. This vulnerability poses significant security risks as it permits unauthorized actions and data exposure.

Affected Version(s)

OpenViking 0.2.5 < 0.2.14

OpenViking 27acda8d1701ff68423fbd6c902208e3c1ed9373

References

https://github.com/volcengine/OpenViking/releases/tag/v0....

release-notes

https://github.com/volcengine/OpenViking/pull/996

issue-tracking

https://github.com/volcengine/OpenViking/commit/27acda8d1...

patch

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2026
Vulnerability Reserved
Mar 31, 2026

Credit

Chia Min Jun Lennon

CVE-2026-34999 Data

JSON

Volcengine

What is CVE-2026-34999?

Affected Version(s)

References

CVSS V4

Timeline

Credit