CVE-2026-40525: CWE-636 Not Failing Securely ('Fail Open') in volcengine OpenViking
OpenViking prior to version 0.3.9 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke privileged bot-control functionality without providing a valid X-API-Key header, including submitting attacker-controlled prompts, creating or using bot sessions, and accessing downstream tools, integrations, secrets, or data accessible to the bot.
AI Analysis
Technical Summary
CVE-2026-40525 describes an authentication bypass in volcengine's OpenViking product before version 0.3.9. The vulnerability arises because the VikingBot OpenAPI HTTP route fails open when the api_key configuration value is missing or empty, allowing unauthenticated remote attackers to access privileged bot-control functionality. This includes submitting attacker-controlled prompts, managing bot sessions, and accessing sensitive downstream resources. The CVSS 4.0 score is 9.1 (critical), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality and integrity.
Potential Impact
Exploitation of this vulnerability allows remote attackers to bypass authentication controls and perform privileged operations on the OpenViking bot, including executing arbitrary prompts and accessing sensitive integrations and secrets. This can lead to unauthorized data access and manipulation of bot-controlled resources, posing a critical security risk.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch links are provided and the remediation level is unspecified, users should verify if version 0.3.9 or later is available and apply it once confirmed. Until then, ensure the api_key configuration is properly set and not left empty to avoid the fail-open condition.
CVE-2026-40525: CWE-636 Not Failing Securely ('Fail Open') in volcengine OpenViking
Description
OpenViking prior to version 0.3.9 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke privileged bot-control functionality without providing a valid X-API-Key header, including submitting attacker-controlled prompts, creating or using bot sessions, and accessing downstream tools, integrations, secrets, or data accessible to the bot.
CVSS v4.0
Score 9.1critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40525 describes an authentication bypass in volcengine's OpenViking product before version 0.3.9. The vulnerability arises because the VikingBot OpenAPI HTTP route fails open when the api_key configuration value is missing or empty, allowing unauthenticated remote attackers to access privileged bot-control functionality. This includes submitting attacker-controlled prompts, managing bot sessions, and accessing sensitive downstream resources. The CVSS 4.0 score is 9.1 (critical), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality and integrity.
Potential Impact
Exploitation of this vulnerability allows remote attackers to bypass authentication controls and perform privileged operations on the OpenViking bot, including executing arbitrary prompts and accessing sensitive integrations and secrets. This can lead to unauthorized data access and manipulation of bot-controlled resources, posing a critical security risk.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch links are provided and the remediation level is unspecified, users should verify if version 0.3.9 or later is available and apply it once confirmed. Until then, ensure the api_key configuration is properly set and not left empty to avoid the fail-open condition.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-04-13T20:29:02.810Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e27e0fbdfbbecc5978c959
Added to database: 4/17/2026, 6:38:07 PM
Last enriched: 4/25/2026, 2:47:50 AM
Last updated: 6/2/2026, 4:27:30 AM
Views: 79
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.