Plattform
other
Komponente
openviking
Behoben in
0.2.14
CVE-2026-34999 describes an authentication bypass vulnerability discovered in OpenViking. This flaw allows unauthenticated attackers to directly interact with the upstream bot backend through the OpenViking proxy, bypassing authentication checks. The vulnerability affects versions 0.2.5 through 0.2.13 of OpenViking, and a fix is available in version 0.2.14.
An attacker exploiting this vulnerability can gain unauthorized access to the bot proxy functionality within OpenViking. This could lead to manipulation of bot responses, data exfiltration, or even the execution of arbitrary commands on the backend system, depending on the bot's capabilities and the underlying infrastructure. The lack of authentication means any external user can potentially leverage this bypass, significantly expanding the attack surface. The impact is amplified if the bot proxy handles sensitive data or interacts with critical systems, potentially leading to broader data breaches or system compromise.
CVE-2026-34999 was publicly disclosed on 2026-04-01. The vulnerability's simplicity and lack of authentication requirements suggest a potentially high probability of exploitation (medium EPSS score). No public proof-of-concept (PoC) code has been observed at the time of writing, but the ease of exploitation makes it a likely target for opportunistic attackers. It is not currently listed on the CISA KEV catalog.
Organizations deploying OpenViking as a bot proxy, particularly those exposing the proxy directly to the internet, are at significant risk. Environments utilizing OpenViking for sensitive applications or handling confidential data are especially vulnerable. Shared hosting environments where multiple users share the same OpenViking instance also face increased risk.
• linux / server: Monitor access logs for requests to /bot/v1/chat and /bot/v1/chat/stream endpoints without authentication headers. Use journalctl -u openviking to check for authentication-related errors.
grep -i 'authentication failed' /var/log/openviking/access.log• generic web: Use curl to test endpoint access without authentication. Verify that access is denied.
curl -I http://<openviking_ip>/bot/v1/chat• generic web: Examine response headers for unexpected content or error messages indicating authentication bypass.
disclosure
Exploit-Status
EPSS
0.06% (19% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34999 is to upgrade OpenViking to version 0.2.14 or later, which includes the authentication fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /bot/v1/chat and /bot/v1/chat/stream endpoints without proper authentication headers. Additionally, review and restrict network access to the OpenViking proxy to limit potential attack vectors. After upgrading, verify the fix by attempting to access the /bot/v1/chat and /bot/v1/chat/stream endpoints without providing authentication credentials; access should be denied.
Aktualisieren Sie OpenViking auf Version 0.2.14 oder höher. Diese Version behebt die Authentifizierungs-Vulnerabilität in den Bot-Proxy-Endpunkten und verhindert so unautorisierten Zugriff.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34999 is an authentication bypass vulnerability in OpenViking versions 0.2.5 through 0.2.13, allowing unauthenticated access to bot proxy functionality.
You are affected if you are running OpenViking versions 0.2.5 through 0.2.13 and have not yet upgraded.
Upgrade OpenViking to version 0.2.14 or later. As a temporary workaround, implement a WAF rule to block unauthorized access to the vulnerable endpoints.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high probability of exploitation.
Refer to the OpenViking project's official website or security mailing list for the latest advisory regarding CVE-2026-34999.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.