CVE-2026-40525

Source
https://cve.org/CVERecord?id=CVE-2026-40525
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40525.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40525
Aliases
Published
2026-04-17T18:19:12.315Z
Modified
2026-07-08T08:13:12.508674135Z
Severity
  • 9.1 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenViking < 0.3.9 Authentication Bypass via VikingBot OpenAPI
Details

OpenViking prior to version 0.3.9 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke privileged bot-control functionality without providing a valid X-API-Key header, including submitting attacker-controlled prompts, creating or using bot sessions, and accessing downstream tools, integrations, secrets, or data accessible to the bot.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40525.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-636"
    ]
}
References

Affected packages

Git / github.com/volcengine/openviking

Affected ranges

Type
GIT
Repo
https://github.com/volcengine/openviking
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:volcengine:openviking:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.3.9"
        }
    ]
}

Affected versions

cli@0.*
cli@0.2.0
v0.*
v0.1.10
v0.1.11
v0.1.12
v0.1.14
v0.1.15
v0.1.16
v0.1.17
v0.1.18
v0.1.9
v0.2.1
v0.2.11
v0.2.12
v0.2.13
v0.2.14
v0.2.15
v0.2.2
v0.2.3
v0.2.5
v0.2.6
v0.2.8
v0.2.9
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40525.json"