Chia Min Jun Lennon

**Name of the Vulnerable Software and Affected Versions** OpenViking versions prior to 0.1.19 **Description** The software contains a broken access control issue. Unauthenticated attackers can gain ROOT privileges when the `root api key` configuration is not set. Attackers can send requests to protected API endpoints without authentication headers, allowing access to administrative functions. These functions include account management, resource operations, and system configuration. The vulnerable API endpoints are accessible without proper authentication when the `root api key` is omitted. **Recommendations** Update to version 0.1.19 or later. Ensure the `root api key` configuration is properly set to prevent unauthorized access.