Executive Summary

CVE-2026-22207 is a critical broken access control vulnerability in OpenViking versions up to 0.1.18. It occurs when the root_api_key configuration is missing, which disables authentication entirely. This allows unauthenticated attackers to send requests to protected endpoints without any authentication headers and gain ROOT privileges.

As a result, attackers can access administrative functions such as account management, resource operations, and system configuration without any restrictions.

The vulnerability arises because when the root_api_key is not set, the server treats all incoming requests as having ROOT role privileges, effectively granting full administrative access to anonymous users.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to escalate privileges to ROOT level without authentication, giving them unrestricted administrative access to the OpenViking server.

• Attackers can manage user accounts and keys.
• They can perform resource operations and modify system configurations.
• They can access and manipulate sensitive endpoints such as /api/v1/admin/*, /api/v1/resources/*, /api/v1/system/status, and others.

If the server is bound to a non-localhost address without a root_api_key, this vulnerability exposes the server to remote attackers across the network, greatly increasing the risk of unauthorized control.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the OpenViking server is running without the root_api_key configured, which disables authentication and allows unauthenticated requests to gain ROOT privileges.

You can test this by sending requests to protected endpoints without any authentication headers and observing if the requests succeed with administrative privileges.

• Send an unauthenticated GET request to a protected endpoint such as /api/v1/system/status or /api/v1/admin/accounts.
• Example curl command: curl -i http://<server_address>/api/v1/system/status
• If the response is successful and returns administrative data without requiring an API key or Authorization header, the vulnerability is present.

Additionally, check the server configuration or logs to see if the root_api_key is missing and if the server is bound to a non-localhost address, which increases exposure risk.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include ensuring that the root_api_key configuration is set to enable authentication and prevent unauthenticated ROOT access.

If you must run without a root_api_key, configure the server to bind only to localhost addresses (127.0.0.1, localhost, or ::1) to restrict access to local requests only.

• Set a strong root_api_key in the server configuration to enable authentication.
• Verify that the server is not bound to a public or non-loopback IP address if root_api_key is missing.
• Restart the OpenViking server after applying these configuration changes.

The server will refuse to start if it detects an unsafe configuration where root_api_key is missing and the host is not localhost, preventing accidental exposure.

Useful 0 Not Useful 0