Unknown · Openviking · CVE-2026-22680
Name of the Vulnerable Software and Affected Versions
OpenViking versions prior to 0.3.3
Description
OpenViking versions prior to 0.3.3 have a missing authorization issue in task polling endpoints. Unauthorized attackers can enumerate or retrieve background task metadata created by other users. Access to the `/api/v1/tasks` and `/api/v1/tasks/{task id}` routes does not require authentication, exposing task type, task status, resource identifiers, archive URIs, result payloads, and error information. This can lead to cross-tenant interference in multi-tenant deployments.
Recommendations
Update to version 0.3.3 or later.