Compliance Impact

The vulnerability in OpenViking prior to version 0.3.3 allows unauthorized access to background task metadata of other users, exposing sensitive information such as task type, status, resource identifiers, archive URIs, result payloads, and error details.

In multi-tenant deployments, this unauthorized data exposure can lead to cross-tenant interference and leakage of potentially sensitive information, which may violate data protection principles found in common standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal or sensitive data.

By allowing unauthenticated enumeration and retrieval of task data belonging to other users, the vulnerability undermines confidentiality and access control requirements, increasing the risk of non-compliance with these regulations.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-22680 is a missing authorization vulnerability in OpenViking versions prior to 0.3.3. It affects the task polling endpoints `/api/v1/tasks` and `/api/v1/tasks/{task_id}`, which allowed unauthorized attackers to access and enumerate background task metadata created by other users without authentication.

Attackers could retrieve sensitive information such as task type, task status, resource identifiers, archive URIs, result payloads, and error details. This flaw enables cross-tenant interference in multi-tenant deployments by leaking task-related data across tenant boundaries.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive background task information, including task status and results, which may expose internal processing details or resource identifiers.

In multi-tenant environments, it can cause cross-tenant interference where one tenant can view or potentially interfere with another tenant's background tasks, leading to privacy breaches and potential operational disruptions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the OpenViking task polling endpoints without authentication and observing if task metadata from other users is exposed.

Specifically, you can try unauthenticated HTTP GET requests to the following endpoints:

• GET /api/v1/tasks
• GET /api/v1/tasks/{task_id} (replace {task_id} with a known or guessed task ID)

If these requests return HTTP 200 responses with task metadata such as task type, status, resource identifiers, archive URIs, result payloads, or error information without requiring authentication, the system is vulnerable.

Example commands using curl to test this could be:

• curl -v http://<openviking-host>/api/v1/tasks
• curl -v http://<openviking-host>/api/v1/tasks/<task_id>

Replace <openviking-host> with your server address and <task_id> with a task identifier. Receiving task data without authentication indicates the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade OpenViking to version 0.3.3 or later, where this vulnerability has been fixed.

The fix enforces authentication and strict ownership validation on the task polling endpoints, ensuring that only authenticated users can access their own background tasks.

If upgrading immediately is not possible, consider restricting network access to the vulnerable endpoints (/api/v1/tasks and /api/v1/tasks/{task_id}) to trusted users only, for example by firewall rules or API gateway authentication enforcement.

Additionally, review your deployment for multi-tenant isolation to prevent cross-tenant data leakage until the patch can be applied.

Useful 0 Not Useful 0