CVE-2026-22207 in OpenViking
Summary
by MITRE • 02/26/2026
OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/01/2026
The vulnerability identified as CVE-2026-22207 affects OpenViking version 0.1.18 and earlier releases before commit 0251c70, representing a critical broken access control flaw that fundamentally undermines the security posture of the application. This vulnerability stems from the application's failure to properly enforce authentication mechanisms for administrative endpoints, creating a pathway for unauthenticated attackers to escalate privileges to root level access. The flaw specifically manifests when the root_api_key configuration parameter is omitted during system setup, leaving the application in a dangerous default state where no authentication is required for privileged operations.
The technical implementation of this vulnerability resides in the application's API endpoint handling logic, where certain administrative functions lack proper authentication checks. When the root_api_key is not configured, the application defaults to a permissive access model that allows any external entity to submit requests to protected endpoints without requiring valid authentication headers. This misconfiguration creates a direct attack vector that bypasses all intended security controls and access restrictions. The affected endpoints encompass a broad range of administrative capabilities including account management functions, resource manipulation operations, and system configuration controls that should only be accessible to authorized administrators.
The operational impact of this vulnerability is severe and far-reaching, as it provides attackers with complete control over the affected system. An unauthenticated attacker can leverage this flaw to perform actions such as creating or deleting user accounts, modifying system configurations, accessing sensitive data, and potentially establishing persistent access through privilege escalation. This represents a critical failure in the principle of least privilege and demonstrates a fundamental breakdown in the application's security architecture. The vulnerability's exploitation does not require any specialized tools or advanced techniques beyond basic network connectivity and HTTP request manipulation, making it particularly dangerous in environments where the application is exposed to untrusted networks.
From a cybersecurity framework perspective, this vulnerability aligns with CWE-285, which addresses improper authorization issues, and maps to multiple ATT&CK techniques including T1078 for valid accounts and T1566 for credential harvesting. The flaw also demonstrates characteristics consistent with privilege escalation attacks and represents a failure in the application's defense-in-depth strategy. Organizations deploying OpenViking must immediately address this vulnerability through proper configuration management, ensuring that root_api_key is always configured with strong, unique credentials. Additionally, implementing network segmentation, monitoring for unauthorized API access attempts, and regular security audits of configuration files should be prioritized. The recommended mitigation includes updating to a patched version of OpenViking or applying the specific commit 0251c70 that addresses the access control implementation, along with establishing robust configuration management practices to prevent similar issues in the future.