CVE-2026-40525
OpenViking · VikingBot
OpenViking VikingBot contains an authentication bypass in the OpenAPI route surface, allowing unauthenticated remote attackers to execute privileged bot-control functions.
Executive summary
An authentication bypass in OpenViking VikingBot permits unauthenticated remote attackers to execute privileged commands and access sensitive data.
Vulnerability
This is an authentication bypass vulnerability where the API fails to enforce security checks when the api_key configuration is unset, allowing unauthenticated attackers to interact with the system as an administrator.
Business impact
Successful exploitation allows an unauthorized party to manipulate bot sessions, submit arbitrary prompts, and access sensitive downstream integrations and secrets. With a CVSS score of 9.1, this vulnerability poses a significant risk of data exfiltration and unauthorized control over automated processes, potentially leading to severe reputational and operational damage.
Remediation
Immediate Action: Update VikingBot to the latest version or apply the fix provided in commit c7bb167 immediately.
Proactive Monitoring: Audit application logs for API requests missing the X-API-Key header or unexpected requests originating from unauthorized network segments.
Compensating Controls: Deploy a Web Application Firewall (WAF) to filter and block requests to the OpenAPI route surface that do not contain valid authentication headers.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability represents a critical security failure in access control. Administrators must ensure the application is updated immediately and that api_key configurations are verified as active and enforced to prevent unauthorized access to the bot-control surface.