Lucene search
K
VolcengineOpenviking

4 matches found

CVE
CVE
added 2026/04/17 6:19 p.m.29 views

CVE-2026-40525

OpenViking prior to commit c7bb167 contains an authentication bypass in the VikingBot OpenAPI HTTP route surface. If api_key is unset or empty, authentication checks fail and remote attackers with network access can invoke privileged bot-control functionality without a valid X-API-Key header, inc...

9.1CVSS5.8AI score0.00571EPSS
CVE
CVE
added 2026/03/03 2:36 p.m.16 views

CVE-2026-28518

OpenViking versions 0.2.1 and earlier are affected by a path traversal vulnerability in the .ovpack import handling. Malicious ZIP archives containing traversal sequences, absolute paths, or drive prefixes in member names can write files outside the intended import directory with the importing pr...

8.4CVSS6AI score0.00181EPSS
CVE
CVE
added 2026/04/01 1:30 p.m.13 views

CVE-2026-34999

OpenViking 0.2.5, prior to 0.2.14, contains a missing authentication vulnerability in the bot proxy router that lets remote unauthenticated attackers access protected bot proxy functionality by sending requests to POST /bot/v1/chat and POST /bot/v1/chat/stream. Attackers can bypass authentication...

6.9CVSS6AI score0.00418EPSS
CVE
CVE
added 2026/04/07 5:8 p.m.7 views

CVE-2026-22680

The vulnerability affects OpenViking prior to version 0.3.3, where the task polling endpoints (/api/v1/tasks and /api/v1/tasks/{task_id}) allow unauthenticated access. Root cause: missing authorization on task polling exposes background task metadata (task type, status, resource identifiers, arch...

6.9CVSS5.9AI score0.00384EPSS
Web