Platform
linux
Component
openviking
Fixed in
0.1.19
CVE-2026-22207 describes a broken access control vulnerability discovered in OpenViking, a Linux-based application. This flaw allows unauthenticated attackers to escalate privileges to ROOT if the rootapikey configuration is not properly set. The vulnerability affects versions from 0.0.0 up to and including 0251c7045b3f8092c4d2e1565115b1ba23db282f. A fix has been released in version 0.1.19.
The impact of this vulnerability is severe. An attacker can exploit it to gain complete control over the OpenViking instance, effectively achieving root-level access. This allows them to perform any action the root user can, including modifying system files, installing malicious software, accessing sensitive data, and potentially pivoting to other systems on the network. The lack of authentication requirements makes this vulnerability particularly dangerous, as an attacker does not need any credentials to exploit it. The ability to manage accounts, resources, and system configurations without authentication represents a significant security risk.
This vulnerability is considered high probability due to its ease of exploitation and the lack of authentication required. No public proof-of-concept (PoC) code has been publicly released as of the publication date, but the simplicity of the exploit suggests it could be developed quickly. The vulnerability was disclosed on 2026-02-26. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.20% (42% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-22207 is to immediately upgrade OpenViking to version 0.1.19 or later. If upgrading is not immediately feasible, a temporary workaround is to ensure the rootapikey configuration is always set and properly secured. This key should be a strong, randomly generated value and stored securely. Consider implementing stricter network segmentation to limit the potential blast radius if the system is compromised. Monitor access logs for suspicious activity, particularly requests to administrative endpoints without proper authentication.
Update OpenViking to version 0.1.19 or later to mitigate the vulnerability. Ensure the root API key (root_api_key) is configured to restrict administrative access and prevent anonymous access to privileged functions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22207 is a CRITICAL vulnerability in OpenViking allowing unauthenticated attackers to gain ROOT privileges if the rootapikey is missing. It affects versions 0.0.0–0251c7045b3f8092c4d2e1565115b1ba23db282f.
You are affected if you are running OpenViking versions 0.0.0 through 0251c7045b3f8092c4d2e1565115b1ba23db282f and have not configured the rootapikey.
Upgrade OpenViking to version 0.1.19 or later. As a temporary workaround, ensure the rootapikey configuration is always set and properly secured.
There is no confirmed active exploitation of CVE-2026-22207 at this time, but the ease of exploitation suggests it could be targeted.
Refer to the OpenViking project's official website or security mailing list for the advisory related to CVE-2026-22207.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.