CVE-2026-22207 CRITICAL

CVE-2026-22207: OpenViking Missing root_api_key Allows Anonymous ROOT Access

Vendor Volcengine
Product OpenViking
Weakness CWE-306 · Missing auth
Published February 26, 2026
Last update April 7, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.

Key dates

02Disclosure timeline

February 26, 2026 CVE published
April 7, 2026 Record updated