CVE-2026-22680

Name of the Vulnerable Software and Affected Versions OpenViking versions prior to 0.3.3

Description OpenViking versions prior to 0.3.3 have a missing authorization issue in task polling endpoints. Unauthorized attackers can enumerate or retrieve background task metadata created by other users. Access to the /api/v1/tasks and /api/v1/tasks/{task id} routes does not require authentication, exposing task type, task status, resource identifiers, archive URIs, result payloads, and error information. This can lead to cross-tenant interference in multi-tenant deployments.

Recommendations Update to version 0.3.3 or later.