0.1.19
CVE-2026-22207 describes a broken access control vulnerability discovered in OpenViking, a Linux-based application. This flaw allows unauthenticated attackers to escalate privileges to ROOT if the rootapikey configuration is not properly set. The vulnerability affects versions from 0.0.0 up to and including 0251c7045b3f8092c4d2e1565115b1ba23db282f. A fix has been released in version 0.1.19.
The impact of this vulnerability is severe. An attacker can exploit it to gain complete control over the OpenViking instance, effectively achieving root-level access. This allows them to perform any action the root user can, including modifying system files, installing malicious software, accessing sensitive data, and potentially pivoting to other systems on the network. The lack of authentication requirements makes this vulnerability particularly dangerous, as an attacker does not need any credentials to exploit it. The ability to manage accounts, resources, and system configurations without authentication represents a significant security risk.
This vulnerability is considered high probability due to its ease of exploitation and the lack of authentication required. No public proof-of-concept (PoC) code has been publicly released as of the publication date, but the simplicity of the exploit suggests it could be developed quickly. The vulnerability was disclosed on 2026-02-26. It is not currently listed on the CISA KEV catalog.
Organizations deploying OpenViking in production environments, particularly those with legacy configurations or shared hosting setups, are at significant risk. Systems where the rootapikey configuration has been overlooked or improperly secured are especially vulnerable. Any environment relying on OpenViking for critical operations should prioritize patching.
• linux / server:
journalctl -u openviking | grep -i "unauthorized access"• linux / server:
ps aux | grep -i "openviking" | grep -i "root"• linux / server:
find /etc/openviking -name 'root_api_key' -printdisclosure
漏洞利用状态
EPSS
0.20% (42% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-22207 is to immediately upgrade OpenViking to version 0.1.19 or later. If upgrading is not immediately feasible, a temporary workaround is to ensure the rootapikey configuration is always set and properly secured. This key should be a strong, randomly generated value and stored securely. Consider implementing stricter network segmentation to limit the potential blast radius if the system is compromised. Monitor access logs for suspicious activity, particularly requests to administrative endpoints without proper authentication.
升级 OpenViking 到 0.1.19 或更高版本以缓解漏洞。确保配置 root_api_key 以限制管理访问并避免匿名访问特权功能。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-22207 is a CRITICAL vulnerability in OpenViking allowing unauthenticated attackers to gain ROOT privileges if the rootapikey is missing. It affects versions 0.0.0–0251c7045b3f8092c4d2e1565115b1ba23db282f.
You are affected if you are running OpenViking versions 0.0.0 through 0251c7045b3f8092c4d2e1565115b1ba23db282f and have not configured the rootapikey.
Upgrade OpenViking to version 0.1.19 or later. As a temporary workaround, ensure the rootapikey configuration is always set and properly secured.
There is no confirmed active exploitation of CVE-2026-22207 at this time, but the ease of exploitation suggests it could be targeted.
Refer to the OpenViking project's official website or security mailing list for the advisory related to CVE-2026-22207.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。