CVE-2026-22680: CWE-862 Missing Authorization in Volcengine OpenViking
OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication to expose task type, task status, resource identifiers, archive URIs, result payloads, and error information, potentially causing cross-tenant interference in multi-tenant deployments.
AI Analysis
Technical Summary
CVE-2026-22680 is a missing authorization vulnerability (CWE-862) in Volcengine's OpenViking prior to version 0.3.3. The issue affects the task polling API endpoints, which do not require authentication, allowing unauthorized users to enumerate and retrieve metadata of background tasks created by other users. The exposed data includes task type, status, resource identifiers, archive URIs, result payloads, and error information. This vulnerability can cause cross-tenant interference in multi-tenant deployments by leaking sensitive task-related information. The CVSS 4.0 score is 6.9 (medium severity). There is no vendor advisory or patch available at this time.
Potential Impact
Unauthorized attackers can access sensitive background task metadata from other users without authentication. This exposure may lead to information disclosure and cross-tenant interference in multi-tenant deployments. However, there is no indication of direct code execution or privilege escalation. No known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the affected API endpoints through network controls or authentication proxies to prevent unauthorized access. Monitor for updates from Volcengine regarding official patches or mitigations.
CVE-2026-22680: CWE-862 Missing Authorization in Volcengine OpenViking
Description
OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication to expose task type, task status, resource identifiers, archive URIs, result payloads, and error information, potentially causing cross-tenant interference in multi-tenant deployments.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-22680 is a missing authorization vulnerability (CWE-862) in Volcengine's OpenViking prior to version 0.3.3. The issue affects the task polling API endpoints, which do not require authentication, allowing unauthorized users to enumerate and retrieve metadata of background tasks created by other users. The exposed data includes task type, status, resource identifiers, archive URIs, result payloads, and error information. This vulnerability can cause cross-tenant interference in multi-tenant deployments by leaking sensitive task-related information. The CVSS 4.0 score is 6.9 (medium severity). There is no vendor advisory or patch available at this time.
Potential Impact
Unauthorized attackers can access sensitive background task metadata from other users without authentication. This exposure may lead to information disclosure and cross-tenant interference in multi-tenant deployments. However, there is no indication of direct code execution or privilege escalation. No known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the affected API endpoints through network controls or authentication proxies to prevent unauthorized access. Monitor for updates from Volcengine regarding official patches or mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-01-08T19:04:26.365Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d5874d43e2781bad84f515
Added to database: 4/7/2026, 10:38:05 PM
Last enriched: 4/7/2026, 10:39:26 PM
Last updated: 4/8/2026, 5:23:28 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.