プラットフォーム
other
コンポーネント
openviking
修正版
0.2.14
CVE-2026-34999 describes an authentication bypass vulnerability discovered in OpenViking. This flaw allows unauthenticated attackers to directly interact with the upstream bot backend through the OpenViking proxy, bypassing authentication checks. The vulnerability affects versions 0.2.5 through 0.2.13 of OpenViking, and a fix is available in version 0.2.14.
An attacker exploiting this vulnerability can gain unauthorized access to the bot proxy functionality within OpenViking. This could lead to manipulation of bot responses, data exfiltration, or even the execution of arbitrary commands on the backend system, depending on the bot's capabilities and the underlying infrastructure. The lack of authentication means any external user can potentially leverage this bypass, significantly expanding the attack surface. The impact is amplified if the bot proxy handles sensitive data or interacts with critical systems, potentially leading to broader data breaches or system compromise.
CVE-2026-34999 was publicly disclosed on 2026-04-01. The vulnerability's simplicity and lack of authentication requirements suggest a potentially high probability of exploitation (medium EPSS score). No public proof-of-concept (PoC) code has been observed at the time of writing, but the ease of exploitation makes it a likely target for opportunistic attackers. It is not currently listed on the CISA KEV catalog.
Organizations deploying OpenViking as a bot proxy, particularly those exposing the proxy directly to the internet, are at significant risk. Environments utilizing OpenViking for sensitive applications or handling confidential data are especially vulnerable. Shared hosting environments where multiple users share the same OpenViking instance also face increased risk.
• linux / server: Monitor access logs for requests to /bot/v1/chat and /bot/v1/chat/stream endpoints without authentication headers. Use journalctl -u openviking to check for authentication-related errors.
grep -i 'authentication failed' /var/log/openviking/access.log• generic web: Use curl to test endpoint access without authentication. Verify that access is denied.
curl -I http://<openviking_ip>/bot/v1/chat• generic web: Examine response headers for unexpected content or error messages indicating authentication bypass.
disclosure
エクスプロイト状況
EPSS
0.06% (19% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-34999 is to upgrade OpenViking to version 0.2.14 or later, which includes the authentication fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /bot/v1/chat and /bot/v1/chat/stream endpoints without proper authentication headers. Additionally, review and restrict network access to the OpenViking proxy to limit potential attack vectors. After upgrading, verify the fix by attempting to access the /bot/v1/chat and /bot/v1/chat/stream endpoints without providing authentication credentials; access should be denied.
OpenVikingをバージョン0.2.14以降にアップデートしてください。このバージョンは、ボットプロキシエンドポイントにおける認証の脆弱性を修正し、不正なアクセスを防ぎます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-34999 is an authentication bypass vulnerability in OpenViking versions 0.2.5 through 0.2.13, allowing unauthenticated access to bot proxy functionality.
You are affected if you are running OpenViking versions 0.2.5 through 0.2.13 and have not yet upgraded.
Upgrade OpenViking to version 0.2.14 or later. As a temporary workaround, implement a WAF rule to block unauthorized access to the vulnerable endpoints.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high probability of exploitation.
Refer to the OpenViking project's official website or security mailing list for the latest advisory regarding CVE-2026-34999.