CVE-2026-40525
Analyzed Analyzed - Analysis Complete
Authentication Bypass in OpenViking VikingBot Exposes Privileged Access

Publication date: 2026-04-17

Last updated on: 2026-05-05

Assigner: VulnCheck

Description
OpenViking prior to version 0.3.9 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke privileged bot-control functionality without providing a valid X-API-Key header, including submitting attacker-controlled prompts, creating or using bot sessions, and accessing downstream tools, integrations, secrets, or data accessible to the bot.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40525
EUVD
EUVD-2026-23464
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
volcengine openviking to 0.3.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-636 When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenViking's VikingBot OpenAPI HTTP route before a specific code commit. It is an authentication bypass issue that occurs when the api_key configuration is unset or empty. In this state, the authentication check fails open, allowing remote attackers with network access to the service to bypass authentication.

Attackers can invoke privileged bot-control functions without providing a valid X-API-Key header. This includes submitting attacker-controlled prompts, creating or using bot sessions, and accessing downstream tools, integrations, secrets, or data accessible to the bot.

Impact Analysis

The vulnerability allows remote attackers to gain unauthorized access to privileged bot-control functionality. This can lead to unauthorized submission of commands or prompts, manipulation or creation of bot sessions, and exposure or misuse of sensitive data, secrets, and integrations accessible to the bot.

Such unauthorized access can compromise the confidentiality and integrity of the system and its data, potentially leading to data breaches, unauthorized operations, and disruption of services.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40525. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart