CVE-2026-34999

EUVD-2026-17905

01.04.2026, 14:16

OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/v1/chat and POST /bot/v1/chat/stream endpoints. Attackers can bypass authentication checks and interact directly with the upstream bot backend through the OpenViking proxy without providing valid credentials.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 25%

Affected Products (NVD)

Vendor	Product	Version
volcengine	openviking	0.2.5 ≤ 𝑥 < 0.2.14

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-306 - Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References

https://github.com/volcengine/OpenViking/commit/27acda8d1701ff68423fbd6c902208e3c1ed9373

https://github.com/volcengine/OpenViking/pull/996

https://github.com/volcengine/OpenViking/releases/tag/v0.2.14

https://www.vulncheck.com/advisories/openviking-bot-proxy-endpoints-allow-unauthenticated-access