CVE-2026-34999
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk34th percentile - higher than 34% of all known CVEs
Summary
OpenViking versions 0.2.5 through 0.2.13 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/v1/chat and POST /bot/v1/chat/stream endpoints. Attackers can bypass authentication checks and interact directly with the upstream bot backend through the OpenViking proxy without providing valid credentials.
Risk Assessment
The risk is unauthorized access to the bot backend, which could lead to data leakage, manipulation of bot responses, or use of the bot to attack other systems.
Recommendation
Immediately upgrade OpenViking to version 0.2.14 or later, which includes a fix for the missing authentication. If upgrading is not possible, restrict access to the POST /bot/v1/chat and POST /bot/v1/chat/stream endpoints using a firewall or access control lists.
Original NVD description (English source)
OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/v1/chat and POST /bot/v1/chat/stream endpoints. Attackers can bypass authentication checks and interact directly with the upstream bot backend through the OpenViking proxy without providing valid credentials.

