CVE Catalog

CVE-2026-34999

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

34th percentile - higher than 34% of all known CVEs

Summary

OpenViking versions 0.2.5 through 0.2.13 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/v1/chat and POST /bot/v1/chat/stream endpoints. Attackers can bypass authentication checks and interact directly with the upstream bot backend through the OpenViking proxy without providing valid credentials.

Risk Assessment

The risk is unauthorized access to the bot backend, which could lead to data leakage, manipulation of bot responses, or use of the bot to attack other systems.

Recommendation

Immediately upgrade OpenViking to version 0.2.14 or later, which includes a fix for the missing authentication. If upgrading is not possible, restrict access to the POST /bot/v1/chat and POST /bot/v1/chat/stream endpoints using a firewall or access control lists.

Original NVD description (English source)

OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/v1/chat and POST /bot/v1/chat/stream endpoints. Attackers can bypass authentication checks and interact directly with the upstream bot backend through the OpenViking proxy without providing valid credentials.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS