CVE-2026-22680
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk31th percentile - higher than 31% of all known CVEs
Summary
OpenViking versions prior to 0.3.3 have a missing authorization vulnerability in task polling endpoints. Unauthenticated attackers can enumerate or retrieve background task metadata created by other users, including task type, status, resource identifiers, archive URIs, result payloads, and error information.
Risk Assessment
The risk involves potential cross-tenant data leakage in multi-tenant deployments and exposure of internal infrastructure and process details to unauthorized parties.
Recommendation
Immediately upgrade OpenViking to version 0.3.3 or later, which fixes the missing authorization in task endpoints.
Original NVD description (English source)
OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication to expose task type, task status, resource identifiers, archive URIs, result payloads, and error information, potentially causing cross-tenant interference in multi-tenant deployments.

