CVE-2026-40525

OpenViking · VikingBot

OpenViking VikingBot contains an authentication bypass in the OpenAPI route surface, allowing unauthenticated remote attackers to execute privileged bot-control functions.

Executive summary

An authentication bypass in OpenViking VikingBot permits unauthenticated remote attackers to execute privileged commands and access sensitive data.

Vulnerability

This is an authentication bypass vulnerability where the API fails to enforce security checks when the api_key configuration is unset, allowing unauthenticated attackers to interact with the system as an administrator.

Business impact

Successful exploitation allows an unauthorized party to manipulate bot sessions, submit arbitrary prompts, and access sensitive downstream integrations and secrets. With a CVSS score of 9.1, this vulnerability poses a significant risk of data exfiltration and unauthorized control over automated processes, potentially leading to severe reputational and operational damage.

Remediation

Immediate Action: Update VikingBot to the latest version or apply the fix provided in commit c7bb167 immediately.

Proactive Monitoring: Audit application logs for API requests missing the X-API-Key header or unexpected requests originating from unauthorized network segments.

Compensating Controls: Deploy a Web Application Firewall (WAF) to filter and block requests to the OpenAPI route surface that do not contain valid authentication headers.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability represents a critical security failure in access control. Administrators must ensure the application is updated immediately and that api_key configurations are verified as active and enforced to prevent unauthorized access to the bot-control surface.