CVE-2026-22680 describes a missing authorization vulnerability (CWE-862) in Volcengine's OpenViking software prior to version 0.3.3. The vulnerability affects the task polling API endpoints, allowing unauthenticated users to enumerate and retrieve background task metadata created by other users. Specifically, attackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication, exposing sensitive task-related information such as task type, status, resource identifiers, archive URIs, result payloads, and error information. This issue can cause cross-tenant interference in multi-tenant deployments. The CVSS 4.0 vector indicates network attack vector, low complexity, no privileges or user interaction required, and low impact on confidentiality, with no impact on integrity or availability. There is no vendor advisory or patch available at this time.

Unauthorized attackers can access sensitive metadata about background tasks belonging to other users, potentially leading to information disclosure and cross-tenant data exposure in multi-tenant deployments. The exposed data includes task types, statuses, resource identifiers, archive URIs, result payloads, and error information. There is no indication of direct impact on data integrity or availability. No known exploits are reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the affected API endpoints by implementing network-level controls or authentication proxies to prevent unauthenticated access. Monitor for unusual access patterns to these endpoints. Avoid exposing the vulnerable versions in production environments where multi-tenancy is used.