Critical Authentication Bypass in OpenViking Exposed
Severity: Medium (Score: 57.9)
Sources: Feedly, cve.report, vuldb.com, www.thehackerwire.com
Summary
OpenViking versions prior to commit c7bb167 contain an authentication bypass vulnerability (CVE-2026-40525) affecting the VikingBot OpenAPI HTTP route. The vulnerability allows remote attackers to access privileged functionalities without a valid X-API-Key header if the api_key configuration is unset or empty. This can lead to unauthorized submission of prompts, bot session manipulation, and access to sensitive data. The vulnerability poses risks to both confidentiality and integrity, with a low attack complexity and no user interaction required. A patch has been released in version 0.3.8, and users are urged to update immediately. Network-level access controls are recommended to restrict access to the API endpoints. No evidence of exploitation has been reported as of now. CVSS scores for this vulnerability are 3.1 and 4.0, indicating significant risk. Key Points: • CVE-2026-40525 allows unauthenticated access to OpenViking's bot-control functionalities. • The vulnerability affects all OpenViking versions prior to 0.3.8 and requires immediate patching. • No evidence of exploitation has been reported, but the potential impact is severe.