Description

OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/v1/chat and POST /bot/v1/chat/stream endpoints. Attackers can bypass authentication checks and interact directly with the upstream bot backend through the OpenViking proxy without providing valid credentials.

INFO

Published Date :

2026-04-01T13:30:30.999Z

Last Modified :

2026-04-01T20:27:23.849Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34999 vulnerability.

Vendors Products
Volcengine
  • Openviking
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34999.

URL Resource
https://github.com/volcengine/OpenViking/commit/27acda8d1701ff68423fbd6c902208e3c1ed9373 cve-icon cve-icon
https://github.com/volcengine/OpenViking/pull/996 cve-icon cve-icon
https://github.com/volcengine/OpenViking/releases/tag/v0.2.14 cve-icon cve-icon
https://www.vulncheck.com/advisories/openviking-bot-proxy-endpoints-allow-unauthenticated-access cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact