CVE-2026-40525
Authentication Bypass in OpenViking VikingBot Exposes Privileged Access
Publication date: 2026-04-17
Last updated on: 2026-05-05
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| volcengine | openviking | to 0.3.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-636 | When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenViking's VikingBot OpenAPI HTTP route before a specific code commit. It is an authentication bypass issue that occurs when the api_key configuration is unset or empty. In this state, the authentication check fails open, allowing remote attackers with network access to the service to bypass authentication.
Attackers can invoke privileged bot-control functions without providing a valid X-API-Key header. This includes submitting attacker-controlled prompts, creating or using bot sessions, and accessing downstream tools, integrations, secrets, or data accessible to the bot.
How can this vulnerability impact me? :
The vulnerability allows remote attackers to gain unauthorized access to privileged bot-control functionality. This can lead to unauthorized submission of commands or prompts, manipulation or creation of bot sessions, and exposure or misuse of sensitive data, secrets, and integrations accessible to the bot.
Such unauthorized access can compromise the confidentiality and integrity of the system and its data, potentially leading to data breaches, unauthorized operations, and disruption of services.