OpenViking < 0.3.9 Authentication Bypass via VikingBot OpenAPI

OpenViking prior to version 0.3.9 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke privileged bot-control functionality without providing a valid X-API-Key header, including submitting attacker-controlled prompts, creating or using bot sessions, and accessing downstream tools, integrations, secrets, or data accessible to the bot.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

未能安全地进行程序失效(Failing Open)

OpenViking 安全漏洞

OpenViking是Volcengine开源的一个人工智能代理的上下文数据库。 OpenViking c7bb167之前版本存在安全漏洞，该漏洞源于VikingBot OpenAPI HTTP路由表面存在身份验证绕过，当api_key配置值未设置或为空时，身份验证检查失败开放，可能导致远程攻击者无需提供有效X-API-Key标头即可调用特权机器人控制功能。

N/A

N/A