QwikSec

Security Database

CVE

CWE

Training

CVE-2026-22680

Published: Apr 7, 2026

Modified: Apr 8, 2026

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication to expose task type, task status, resource identifiers, archive URIs, result payloads, and error information, potentially causing cross-tenant interference in multi-tenant deployments.

Vendor	Product	Versions
Volcengine	OpenViking	affected `0 - < 0.3.3` unaffected `8c1c3f3608364ee0bb0e45f73478771a68aebdf5`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/volcengine/OpenViking/releases/tag/v0.3.3

release-notes

https://github.com/volcengine/OpenViking/pull/1182

issue-tracking

https://github.com/volcengine/OpenViking/commit/8c1c3f3608364ee0bb0e45f73478771a68aebdf5

patch

https://www.vulncheck.com/advisories/openviking-missing-authorization-via-task-polling

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.