Platform
other
Component
openviking
Fixed in
0.2.14
CVE-2026-34999 describes an authentication bypass vulnerability discovered in OpenViking. This flaw allows unauthenticated attackers to directly interact with the upstream bot backend through the OpenViking proxy, bypassing authentication checks. The vulnerability affects versions 0.2.5 through 0.2.13 of OpenViking, and a fix is available in version 0.2.14.
An attacker exploiting this vulnerability can gain unauthorized access to the bot proxy functionality within OpenViking. This could lead to manipulation of bot responses, data exfiltration, or even the execution of arbitrary commands on the backend system, depending on the bot's capabilities and the underlying infrastructure. The lack of authentication means any external user can potentially leverage this bypass, significantly expanding the attack surface. The impact is amplified if the bot proxy handles sensitive data or interacts with critical systems, potentially leading to broader data breaches or system compromise.
CVE-2026-34999 was publicly disclosed on 2026-04-01. The vulnerability's simplicity and lack of authentication requirements suggest a potentially high probability of exploitation (medium EPSS score). No public proof-of-concept (PoC) code has been observed at the time of writing, but the ease of exploitation makes it a likely target for opportunistic attackers. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34999 is to upgrade OpenViking to version 0.2.14 or later, which includes the authentication fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /bot/v1/chat and /bot/v1/chat/stream endpoints without proper authentication headers. Additionally, review and restrict network access to the OpenViking proxy to limit potential attack vectors. After upgrading, verify the fix by attempting to access the /bot/v1/chat and /bot/v1/chat/stream endpoints without providing authentication credentials; access should be denied.
Update OpenViking to version 0.2.14 or higher. This version fixes the authentication vulnerability in the bot proxy endpoints, preventing unauthorized access.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34999 is an authentication bypass vulnerability in OpenViking versions 0.2.5 through 0.2.13, allowing unauthenticated access to bot proxy functionality.
You are affected if you are running OpenViking versions 0.2.5 through 0.2.13 and have not yet upgraded.
Upgrade OpenViking to version 0.2.14 or later. As a temporary workaround, implement a WAF rule to block unauthorized access to the vulnerable endpoints.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high probability of exploitation.
Refer to the OpenViking project's official website or security mailing list for the latest advisory regarding CVE-2026-34999.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.