PYSEC-2026-2855

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/openviking/PYSEC-2026-2855.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2855
Aliases
Published
2026-07-13T14:36:49.190887Z
Modified
2026-07-13T16:32:33.808742198Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenViking contains a missing authorization vulnerability in the task polling endpoints
Details

OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication to expose task type, task status, resource identifiers, archive URIs, result payloads, and error information, potentially causing cross-tenant interference in multi-tenant deployments.

References

Affected packages

PyPI / openviking

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.3.3

Affected versions

0.*
0.1.17
0.1.18
0.2.1
0.2.3
0.2.5
0.2.6
0.2.10.dev45
0.2.10.dev50
0.2.10
0.2.11
0.2.12.dev1
0.2.12
0.2.13.dev2
0.2.13.dev4
0.2.13
0.2.14.dev4
0.2.15
0.2.16.dev9
0.3.1
0.3.2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/openviking/PYSEC-2026-2855.yaml"