CVE-2026-22207 — OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken…

/HIGH
CVE Notify vulnerabilitycveidentity
CVE-2026-22207 — OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken…

Image via opengraph.githubassets.com

🚨 CVE-2026-22207 OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the rootapikey configuration is omitted.

fix(server): 未配置 root_api_key 时仅允许 localhost 绑定 · volcengine/OpenViking@0251c70
github.com

What This Means For You

  • New vulnerability disclosed — verify if your stack is exposed.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Abuse Elevation Control Mechanism: Sudo and Operating System Credential Management Privilege Escalation

🛡️ Detection Rules

1 rule · 6 SIEM formats

1 detection rule mapped to MITRE ATT&CK. Free Sigma YAML below.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-22207

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

Indicators of Compromise

IDTypeIndicator
CVE-2026-22207 Auth Bypass OpenViking through v0.1.18, affected component: access control, vulnerability: broken access control allowing unauthenticated ROOT privileges when root_api_key is omitted.
CVE-2026-22207 Privilege Escalation OpenViking through v0.1.18, affected component: access control, vulnerability: broken access control allowing unauthenticated ROOT privileges when root_api_key is omitted.
CVE-2026-22207 Path Traversal OpenViking through v0.1.18, affected component: access control, vulnerability: unauthenticated access to administrative functions including account management, resource operations, and system configuration via protected endpoints without authentication headers.
Source & Attribution
Source PlatformTelegram
ChannelCVE Notify
PublishedApril 07, 2026 at 21:26 UTC

This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Featured

Daily Security Digest — 2026-05-22

13 vulnerability disclosures (5 Critical, 8 High) and 14 curated intelligence stories from 6 sources.

daily-digestvulnerabilityCVEhigh-severitycwe-88privilege-escalationcwe-863criticalremote-code-executioncwe-434
/SCW Daily Digest /CRITICAL

Huawei Router Flaw Triggered Telecom Blackout, SecurityWeek Reports

SecurityWeek reports on a critical flaw in Huawei routers that led to a significant telecom blackout. While details are sparse, the incident underscores the inherent...

threat-intelvulnerabilityidentity
/SCW Vulnerability Desk /MEDIUM /⚑ 3 IOCs /⚙ 3 Sigma

WordPress Ditty Plugin: Authorization Bypass Exposes Non-Public Content

CVE-2026-9011 — The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs