{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22207", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-01-06T16:47:17.186Z", "datePublished": "2026-02-26T20:34:30.907Z", "dateUpdated": "2026-04-07T17:18:28.699Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-07T17:18:28.699Z"}, "title": "OpenViking Missing root_api_key Allows Anonymous ROOT Access", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "type": "CWE"}]}], "affected": [{"vendor": "Volcengine", "product": "OpenViking", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "0.1.18", "versionType": "semver"}, {"status": "unaffected", "version": "0251c7045b3f8092c4d2e1565115b1ba23db282f", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "OpenViking through version 0.1.18, prior to commit\u00a00251c70,\u00a0contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration."}]}], "references": [{"url": "https://github.com/volcengine/OpenViking/issues/302", "tags": ["issue-tracking"]}, {"url": "https://github.com/volcengine/OpenViking/pull/310", "tags": ["vendor-advisory"]}, {"url": "https://github.com/volcengine/OpenViking/commit/0251c7045b3f8092c4d2e1565115b1ba23db282f", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/openviking-missing-root-api-key-allows-anonymous-root-access", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Chia Min Jun Lennon", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"references": [{"url": "https://github.com/volcengine/OpenViking/issues/302", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T20:55:27.000105Z", "id": "CVE-2026-22207", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T20:55:31.975Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22207", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-02T20:55:27.000105Z"}}}], "references": [{"url": "https://github.com/volcengine/OpenViking/issues/302", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T20:55:11.254Z"}}], "cna": {"title": "OpenViking Missing root_api_key Allows Anonymous ROOT Access", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Chia Min Jun Lennon"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Volcengine", "product": "OpenViking", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.1.18"}, {"status": "unaffected", "version": "0251c7045b3f8092c4d2e1565115b1ba23db282f", "versionType": "git"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/volcengine/OpenViking/issues/302", "tags": ["issue-tracking"]}, {"url": "https://github.com/volcengine/OpenViking/pull/310", "tags": ["vendor-advisory"]}, {"url": "https://github.com/volcengine/OpenViking/commit/0251c7045b3f8092c4d2e1565115b1ba23db282f", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/openviking-missing-root-api-key-allows-anonymous-root-access", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "OpenViking through version 0.1.18, prior to commit\u00a00251c70,\u00a0contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.", "supportingMedia": [{"type": "text/html", "value": "OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-07T17:18:28.699Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22207", "state": "PUBLISHED", "dateUpdated": "2026-04-07T17:18:28.699Z", "dateReserved": "2026-01-06T16:47:17.186Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-26T20:34:30.907Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenViking through version 0.1.18, prior to commit\u00a00251c70,\u00a0contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration."}, {"lang": "es", "value": "OpenViking hasta la versi\u00f3n 0.1.18, anterior al commit 0251c70, contiene una vulnerabilidad de control de acceso roto que permite a atacantes no autenticados obtener privilegios ROOT cuando se omite la configuraci\u00f3n root_api_key. Los atacantes pueden enviar solicitudes a puntos finales protegidos sin encabezados de autenticaci\u00f3n para acceder a funciones administrativas, incluyendo la gesti\u00f3n de cuentas, operaciones de recursos y la configuraci\u00f3n del sistema."}], "id": "CVE-2026-22207", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-26T21:28:52.570", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/volcengine/OpenViking/commit/0251c7045b3f8092c4d2e1565115b1ba23db282f"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/volcengine/OpenViking/issues/302"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/volcengine/OpenViking/pull/310"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/openviking-missing-root-api-key-allows-anonymous-root-access"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/volcengine/OpenViking/issues/302"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.1.18]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "commit 0251c70"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "OpenViking", "source": "cna", "vendor": "Volcengine"}, "product": "openviking", "vendor": "volcengine"}], "analysis": {"en": {"generated_at": "2026-04-15T20:11:26.227015+00:00", "value": {"mitigation_remediation": ["Upgrade OpenViking to a version newer than 0.1.18 or apply the patch commit 0251c7045b3f8092c4d2e1565115b1ba23db282f that restores required root_api_key authentication.", "Configure a non\u2011empty root_api_key in the OpenViking configuration file to enforce authentication on all privileged endpoints.", "If an upgrade or patch cannot be applied immediately, restrict network access to the administrative API endpoints using firewall or network segmentation rules to block unauthenticated traffic."], "summary": {"action": "Immediate Patch", "impact": "Root Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of Volcengine OpenViking through version 0.1.18, i.e., any deployment running 0.1.18 or earlier. No newer versions are explicitly listed as affected, and the patch commit is available in the repository history.", "description_and_impact": "OpenViking versions up to 0.1.18 contain a broken access control flaw that lets unauthenticated users obtain ROOT privileges when the root_api_key setting is absent. The flaw permits attackers to send calls to protected administrative endpoints without any authentication header, enabling them to manage accounts, perform resource operations, and modify system configuration.", "risk_and_exploitability": "The CVSS score of 9.3 indicates a critical severity, yet the EPSS score is less than 1%, suggesting a very low current exploitation probability. The vulnerability is not in the CISA KEV catalog. Attackers would need to send HTTP requests to the OpenViking API\u2019s protected endpoints without authentication headers, a step that can be inferred from the description."}}}}, "created": "2026-02-27T09:04:12.449518+00:00", "updated": "2026-04-15T20:15:13.721652+00:00", "vendors": ["volcengine", "volcengine$PRODUCT$openviking"]}