CVE-2026-22207

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-22207

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22207.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-22207

Published

2026-02-26T21:28:52.570Z

Modified

2026-03-01T02:23:12.368578Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the rootapikey configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.

References

Affected packages

Git / github.com/volcengine/openviking

Affected ranges

Type: GIT
Repo: https://github.com/volcengine/openviking
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

3d2d05a37017d542b294e50c26f6faa6980dbcce

Affected versions

v0.*

v0.1.10

v0.1.11

v0.1.12

v0.1.14

v0.1.15

v0.1.16

v0.1.17

v0.1.18

v0.1.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22207.json"