VYPR

Openviking

by Volcengine

pypi: openviking

Source repositories

CVEs (5)

  • CVE-2026-22207CriFeb 26, 2026
    risk 0.64cvss 9.8epss 0.00

    OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without…

  • CVE-2026-40525CriApr 17, 2026
    risk 0.52cvss 9.1epss 0.01

    OpenViking prior to version 0.3.9 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. Remote attackers with network access to the exposed…

  • CVE-2026-28518HigMar 3, 2026
    risk 0.44cvss 7.8epss 0.00

    OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences,…

  • CVE-2026-22680MedApr 7, 2026
    risk 0.27cvss 5.3epss 0.00

    OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and…

  • CVE-2026-34999MedApr 1, 2026
    risk 0.27cvss 5.3epss 0.00

    OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/v1/chat and POST /bot/v1/chat/stream…