cbcvebase.

Volcengine Openviking vulnerabilities

6 known vulnerabilities affecting volcengine/openviking.

Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH1MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2026-22207P2CRITICALCVSS 9.8≤ 0.1.182026-02-26
CVE-2026-22207 [CRITICAL] CWE-306 CVE-2026-22207: OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnera OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including accou
nvd
CVE-2026-40525P2CRITICALCVSS 9.1fixed in 0.3.92026-04-17
CVE-2026-40525 [CRITICAL] CWE-636 CVE-2026-40525: OpenViking prior to version 0.3.9 contains an authentication bypass vulnerability in the VikingBot O OpenViking prior to version 0.3.9 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke privileged bot-control functionality without providing
ghsanvd
CVE-2026-28518P3HIGHCVSS 7.8fixed in 0.2.1≤ 0.2.12026-03-03
CVE-2026-28518 [HIGH] CWE-22 CVE-2026-28518: OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or drive prefixes in member names to overwrite or create arbi
ghsanvdosv
CVE-2026-34999P3MEDIUMCVSS 5.3≥ 0.2.5, < 0.2.142026-04-01
CVE-2026-34999 [MEDIUM] CWE-306 CVE-2026-34999: OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/v1/chat and POST /bot/v1/chat/stream endpoints. Attackers can bypass authentication checks and interact directly
nvd
CVE-2026-22680P4MEDIUMCVSS 5.3fixed in 0.3.32026-04-07
CVE-2026-22680 [MEDIUM] CWE-862 CVE-2026-22680: OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication to expose task type, task status,
ghsanvdosv
CVE-2026-13507P4MEDIUMCVSS 5.0v0.3.0v0.3.1+20 more2026-06-28
CVE-2026-13507 [MEDIUM] CWE-345 CVE-2026-13507: A vulnerability was detected in volcengine OpenViking up to 0.3.21. This affects the function str_to A vulnerability was detected in volcengine OpenViking up to 0.3.21. This affects the function str_to_uint64 of the file openviking/storage/vectordb/utils/str_to_uint64.py of the component Local VectorDB Primary-key Label Handler. The manipulation of the argument ID results in insufficient verification of data authenticity. The attack may be launched
nvd