Plataforma
linux
Componente
openviking
Corrigido em
0.1.19
CVE-2026-22207 describes a broken access control vulnerability discovered in OpenViking, a Linux-based application. This flaw allows unauthenticated attackers to escalate privileges to ROOT if the rootapikey configuration is not properly set. The vulnerability affects versions from 0.0.0 up to and including 0251c7045b3f8092c4d2e1565115b1ba23db282f. A fix has been released in version 0.1.19.
The impact of this vulnerability is severe. An attacker can exploit it to gain complete control over the OpenViking instance, effectively achieving root-level access. This allows them to perform any action the root user can, including modifying system files, installing malicious software, accessing sensitive data, and potentially pivoting to other systems on the network. The lack of authentication requirements makes this vulnerability particularly dangerous, as an attacker does not need any credentials to exploit it. The ability to manage accounts, resources, and system configurations without authentication represents a significant security risk.
This vulnerability is considered high probability due to its ease of exploitation and the lack of authentication required. No public proof-of-concept (PoC) code has been publicly released as of the publication date, but the simplicity of the exploit suggests it could be developed quickly. The vulnerability was disclosed on 2026-02-26. It is not currently listed on the CISA KEV catalog.
Organizations deploying OpenViking in production environments, particularly those with legacy configurations or shared hosting setups, are at significant risk. Systems where the rootapikey configuration has been overlooked or improperly secured are especially vulnerable. Any environment relying on OpenViking for critical operations should prioritize patching.
• linux / server:
journalctl -u openviking | grep -i "unauthorized access"• linux / server:
ps aux | grep -i "openviking" | grep -i "root"• linux / server:
find /etc/openviking -name 'root_api_key' -printdisclosure
Status do Exploit
EPSS
0.20% (percentil 42%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-22207 is to immediately upgrade OpenViking to version 0.1.19 or later. If upgrading is not immediately feasible, a temporary workaround is to ensure the rootapikey configuration is always set and properly secured. This key should be a strong, randomly generated value and stored securely. Consider implementing stricter network segmentation to limit the potential blast radius if the system is compromised. Monitor access logs for suspicious activity, particularly requests to administrative endpoints without proper authentication.
Atualize OpenViking para a versão 0.1.19 ou posterior para mitigar a vulnerabilidade. Certifique-se de configurar a chave de API raiz (root_api_key) para restringir o acesso administrativo e evitar o acesso anônimo a funções privilegiadas.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-22207 is a CRITICAL vulnerability in OpenViking allowing unauthenticated attackers to gain ROOT privileges if the rootapikey is missing. It affects versions 0.0.0–0251c7045b3f8092c4d2e1565115b1ba23db282f.
You are affected if you are running OpenViking versions 0.0.0 through 0251c7045b3f8092c4d2e1565115b1ba23db282f and have not configured the rootapikey.
Upgrade OpenViking to version 0.1.19 or later. As a temporary workaround, ensure the rootapikey configuration is always set and properly secured.
There is no confirmed active exploitation of CVE-2026-22207 at this time, but the ease of exploitation suggests it could be targeted.
Refer to the OpenViking project's official website or security mailing list for the advisory related to CVE-2026-22207.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.