CVE-2026-22207

OpenViking Missing root_api_key Allows Anonymous ROOT Access

Description

OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.

INFO

Published Date :

2026-02-26T20:34:30.907Z

Last Modified :

2026-02-26T20:34:30.907Z

Source :

VulnCheck

AFFECTED PRODUCTS

The following products are affected by CVE-2026-22207 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-22207.

URL	Resource
https://github.com/volcengine/OpenViking/issues/302
https://github.com/volcengine/OpenViking/pull/310
https://github.com/volcengine/OpenViking/pull/310/changes/0251c7045b3f8092c4d2e1565115b1ba23db282f
https://www.vulncheck.com/advisories/openviking-missing-root-api-key-allows-anonymous-root-access

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability