CVE-2026-34999

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N                                    

Vulnerability Description

OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/v1/chat and POST /bot/v1/chat/stream endpoints. Attackers can bypass authentication checks and interact directly with the upstream bot backend through the OpenViking proxy without providing valid credentials.

Vulnerability Details

Published Date

April 01, 2026

Last Modified

April 07, 2026

CWE ID

CWE-306

Source

NVD

Vendor

Volcengine

Product

OpenViking

External References

https://github.com/volcengine/OpenViking/commit/27acda8d1701ff68423fbd6c902208e3c1ed9373
https://github.com/volcengine/OpenViking/pull/996
https://github.com/volcengine/OpenViking/releases/tag/v0.2.14
https://www.vulncheck.com/advisories/openviking-bot-proxy-endpoints-allow-unauthenticated-access

CVE-2026-34999

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment