プラットフォーム
linux
コンポーネント
openviking
修正版
0.1.19
CVE-2026-22207 describes a broken access control vulnerability discovered in OpenViking, a Linux-based application. This flaw allows unauthenticated attackers to escalate privileges to ROOT if the rootapikey configuration is not properly set. The vulnerability affects versions from 0.0.0 up to and including 0251c7045b3f8092c4d2e1565115b1ba23db282f. A fix has been released in version 0.1.19.
The impact of this vulnerability is severe. An attacker can exploit it to gain complete control over the OpenViking instance, effectively achieving root-level access. This allows them to perform any action the root user can, including modifying system files, installing malicious software, accessing sensitive data, and potentially pivoting to other systems on the network. The lack of authentication requirements makes this vulnerability particularly dangerous, as an attacker does not need any credentials to exploit it. The ability to manage accounts, resources, and system configurations without authentication represents a significant security risk.
This vulnerability is considered high probability due to its ease of exploitation and the lack of authentication required. No public proof-of-concept (PoC) code has been publicly released as of the publication date, but the simplicity of the exploit suggests it could be developed quickly. The vulnerability was disclosed on 2026-02-26. It is not currently listed on the CISA KEV catalog.
Organizations deploying OpenViking in production environments, particularly those with legacy configurations or shared hosting setups, are at significant risk. Systems where the rootapikey configuration has been overlooked or improperly secured are especially vulnerable. Any environment relying on OpenViking for critical operations should prioritize patching.
• linux / server:
journalctl -u openviking | grep -i "unauthorized access"• linux / server:
ps aux | grep -i "openviking" | grep -i "root"• linux / server:
find /etc/openviking -name 'root_api_key' -printdisclosure
エクスプロイト状況
EPSS
0.20% (42% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-22207 is to immediately upgrade OpenViking to version 0.1.19 or later. If upgrading is not immediately feasible, a temporary workaround is to ensure the rootapikey configuration is always set and properly secured. This key should be a strong, randomly generated value and stored securely. Consider implementing stricter network segmentation to limit the potential blast radius if the system is compromised. Monitor access logs for suspicious activity, particularly requests to administrative endpoints without proper authentication.
OpenViking をバージョン 0.1.19 以降にアップデートして、脆弱性を軽減してください。管理アクセスを制限し、特権機能への匿名アクセスを回避するために、root_api_key を設定するようにしてください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-22207 is a CRITICAL vulnerability in OpenViking allowing unauthenticated attackers to gain ROOT privileges if the rootapikey is missing. It affects versions 0.0.0–0251c7045b3f8092c4d2e1565115b1ba23db282f.
You are affected if you are running OpenViking versions 0.0.0 through 0251c7045b3f8092c4d2e1565115b1ba23db282f and have not configured the rootapikey.
Upgrade OpenViking to version 0.1.19 or later. As a temporary workaround, ensure the rootapikey configuration is always set and properly secured.
There is no confirmed active exploitation of CVE-2026-22207 at this time, but the ease of exploitation suggests it could be targeted.
Refer to the OpenViking project's official website or security mailing list for the advisory related to CVE-2026-22207.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。