Vulnerability Description
OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://github.com/volcengine/OpenViking/commit/0251c7045b3f8092c4d2e1565115b1ba
- https://github.com/volcengine/OpenViking/issues/302
- https://github.com/volcengine/OpenViking/pull/310
- https://www.vulncheck.com/advisories/openviking-missing-root-api-key-allows-anon
- https://github.com/volcengine/OpenViking/issues/302
FAQ
What is CVE-2026-22207?
CVE-2026-22207 is a vulnerability with a CVSS score of 9.8 (CRITICAL). OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configura...
How severe is CVE-2026-22207?
CVE-2026-22207 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-22207?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.