CVE Catalog

CVE-2026-22680

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.38%

31th percentile - higher than 31% of all known CVEs

Summary

OpenViking versions prior to 0.3.3 have a missing authorization vulnerability in task polling endpoints. Unauthenticated attackers can enumerate or retrieve background task metadata created by other users, including task type, status, resource identifiers, archive URIs, result payloads, and error information.

Risk Assessment

The risk involves potential cross-tenant data leakage in multi-tenant deployments and exposure of internal infrastructure and process details to unauthorized parties.

Recommendation

Immediately upgrade OpenViking to version 0.3.3 or later, which fixes the missing authorization in task endpoints.

Original NVD description (English source)

OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication to expose task type, task status, resource identifiers, archive URIs, result payloads, and error information, potentially causing cross-tenant interference in multi-tenant deployments.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS