CVE-2026-40525

Name of the Vulnerable Software and Affected Versions OpenViking versions prior to commit c7bb167

Description An authentication bypass exists in the VikingBot OpenAPI HTTP route surface. The issue occurs when the api key configuration value is unset or empty, causing the authentication check to fail open. Remote attackers with network access to the exposed service can invoke privileged bot-control functionality without providing a valid 'X-API-Key' header. This allows for the submission of attacker-controlled prompts, the creation or use of bot sessions, and unauthorized access to downstream tools, integrations, secrets, or data accessible to the bot.

Recommendations Update OpenViking to commit c7bb167 or a newer version. Ensure the api key configuration value is properly set and not left empty.