Description

OpenViking prior to commit c7bb167 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke privileged bot-control functionality without providing a valid X-API-Key header, including submitting attacker-controlled prompts, creating or using bot sessions, and accessing downstream tools, integrations, secrets, or data accessible to the bot.

INFO

Published Date :

2026-04-17T18:19:12.315Z

Last Modified :

2026-04-17T18:19:12.315Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40525 vulnerability.

Vendors Products
Volcengine
  • Openviking
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40525.

URL Resource
https://github.com/volcengine/OpenViking/commit/c7bb1676f4d037609f041bf39e4e2bd52e8f9820 cve-icon cve-icon
https://github.com/volcengine/OpenViking/pull/1447 cve-icon cve-icon
https://www.vulncheck.com/advisories/openviking-authentication-bypass-via-vikingbot-openapi cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact