CVE-2026-40525— OpenViking < 0.3.9 Authentication Bypass via VikingBot OpenAPI

CVSS 9.1 · Critical EPSS 0.29% · P53 Updated Apr 21, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-40525

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

OpenViking < 0.3.9 Authentication Bypass via VikingBot OpenAPI

Source: NVD (National Vulnerability Database)

Vulnerability Description

OpenViking prior to version 0.3.9 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke privileged bot-control functionality without providing a valid X-API-Key header, including submitting attacker-controlled prompts, creating or using bot sessions, and accessing downstream tools, integrations, secrets, or data accessible to the bot.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

未能安全地进行程序失效(Failing Open)

Source: NVD (National Vulnerability Database)

Vulnerability Title

OpenViking 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

OpenViking是Volcengine开源的一个人工智能代理的上下文数据库。 OpenViking c7bb167之前版本存在安全漏洞，该漏洞源于VikingBot OpenAPI HTTP路由表面存在身份验证绕过，当api_key配置值未设置或为空时，身份验证检查失败开放，可能导致远程攻击者无需提供有效X-API-Key标头即可调用特权机器人控制功能。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
volcengine	OpenViking	0 ~ 0.3.9	-

II. Public POCs for CVE-2026-40525

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-40525

请登录查看更多情报信息。

IV. Related Vulnerabilities

Same product: OpenViking

Same vendor: volcengine

Same weakness: CWE-636

V. Comments for CVE-2026-40525

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-40525— OpenViking < 0.3.9 Authentication Bypass via VikingBot OpenAPI

I. Basic Information for CVE-2026-40525

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Shenlong Deep Dive — AI Deep Analysis

Affected Products

II. Public POCs for CVE-2026-40525

III. Intelligence Information for CVE-2026-40525

IV. Related Vulnerabilities

V. Comments for CVE-2026-40525

Leave a comment