CVE-2026-34999
⚪ Do wiadomości
Brak uwierzytelnienia w OpenViking umożliwia zdalny dostęp do funkcji proxy bota.
CVSS
5.3
EPSS
0.1%
Exploit
none
Vendor
volcengine
Opis źródłowy (NVD)
OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/v1/chat and POST /bot/v1/chat/stream endpoints. Attackers can bypass authentication checks and interact directly with the upstream bot backend through the OpenViking proxy without providing valid credentials.
auth-bypass
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 5.3 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.1% |
| Opublikowano (NVD) | 2026-04-01 14:16:55 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-07 16:37:04 UTC |
Referencje
- https://github.com/volcengine/OpenViking/commit/27acda8d1701ff68423fbd6c902208e3c1ed9373 (disclosure@vulncheck.com) [Patch]
- https://github.com/volcengine/OpenViking/pull/996 (disclosure@vulncheck.com) [Issue Tracking]
- https://github.com/volcengine/OpenViking/releases/tag/v0.2.14 (disclosure@vulncheck.com) [Release Notes]
- https://www.vulncheck.com/advisories/openviking-bot-proxy-endpoints-allow-unauthenticated-access (disclosure@vulncheck.com) [Third Party Advisory, VDB Entry]