CVE-2026-22207
Broken Access Control in OpenViking Allows Root Privilege Escalation
Publication date: 2026-02-26
Last updated on: 2026-04-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| volcengine | openviking | to 0.1.19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22207 is a critical broken access control vulnerability in OpenViking versions up to 0.1.18. It occurs when the root_api_key configuration is missing, which disables authentication entirely. This allows unauthenticated attackers to send requests to protected endpoints without any authentication headers and gain ROOT privileges.
As a result, attackers can access administrative functions such as account management, resource operations, and system configuration without any restrictions.
The vulnerability arises because when the root_api_key is not set, the server treats all incoming requests as having ROOT role privileges, effectively granting full administrative access to anonymous users.
How can this vulnerability impact me? :
This vulnerability allows an attacker to escalate privileges to ROOT level without authentication, giving them unrestricted administrative access to the OpenViking server.
- Attackers can manage user accounts and keys.
- They can perform resource operations and modify system configurations.
- They can access and manipulate sensitive endpoints such as /api/v1/admin/*, /api/v1/resources/*, /api/v1/system/status, and others.
If the server is bound to a non-localhost address without a root_api_key, this vulnerability exposes the server to remote attackers across the network, greatly increasing the risk of unauthorized control.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the OpenViking server is running without the root_api_key configured, which disables authentication and allows unauthenticated requests to gain ROOT privileges.
You can test this by sending requests to protected endpoints without any authentication headers and observing if the requests succeed with administrative privileges.
- Send an unauthenticated GET request to a protected endpoint such as /api/v1/system/status or /api/v1/admin/accounts.
- Example curl command: curl -i http://<server_address>/api/v1/system/status
- If the response is successful and returns administrative data without requiring an API key or Authorization header, the vulnerability is present.
Additionally, check the server configuration or logs to see if the root_api_key is missing and if the server is bound to a non-localhost address, which increases exposure risk.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include ensuring that the root_api_key configuration is set to enable authentication and prevent unauthenticated ROOT access.
If you must run without a root_api_key, configure the server to bind only to localhost addresses (127.0.0.1, localhost, or ::1) to restrict access to local requests only.
- Set a strong root_api_key in the server configuration to enable authentication.
- Verify that the server is not bound to a public or non-loopback IP address if root_api_key is missing.
- Restart the OpenViking server after applying these configuration changes.
The server will refuse to start if it detects an unsafe configuration where root_api_key is missing and the host is not localhost, preventing accidental exposure.