PT-2026-22190 · Unknown · Openviking
Chia Min Jun Lennon
·
Published
2026-02-26
·
Updated
2026-03-03
·
CVE-2026-22207
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenViking versions prior to 0.1.19
Description
The software contains a broken access control issue. Unauthenticated attackers can gain ROOT privileges when the
root api key configuration is not set. Attackers can send requests to protected API endpoints without authentication headers, allowing access to administrative functions. These functions include account management, resource operations, and system configuration. The vulnerable API endpoints are accessible without proper authentication when the root api key is omitted.Recommendations
Update to version 0.1.19 or later.
Ensure the
root api key configuration is properly set to prevent unauthorized access.Exploit
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openviking