PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-22680 Volcengine CVE debrief

CVE-2026-22680 is a missing authorization vulnerability in OpenViking versions prior to 0.3.3. The vulnerability allows unauthorized attackers to enumerate or retrieve background task metadata created by other users, potentially causing cross-tenant interference in multi-tenant deployments. This issue affects users of OpenViking and requires immediate attention to prevent exploitation.

Vendor
Volcengine
Product
OpenViking
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-07
Original CVE updated
2026-07-14
Advisory published
2026-04-07
Advisory updated
2026-07-14

Who should care

Users of OpenViking versions prior to 0.3.3 should be aware of this vulnerability and take necessary actions to mitigate it. This includes operators, platform administrators, vulnerability management teams, and security teams who need to review and implement mitigations to prevent exploitation.

Technical summary

The vulnerability is caused by a missing authorization check in the task polling endpoints of OpenViking. This allows attackers to access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication, potentially causing cross-tenant interference in multi-tenant deployments. The issue can be mitigated by upgrading to version 0.3.3 or later and implementing proper authorization checks.

Defensive priority

Medium

Recommended defensive actions

  • Upgrade OpenViking to version 0.3.3 or later
  • Implement proper authorization checks for task polling endpoints
  • Monitor for suspicious activity on task polling endpoints
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The vulnerability was reported by an unknown source and was analyzed by the NVD. The CVE record was published on 2026-04-07T18:16:38.853Z and was last modified on 2026-07-14T16:16:51.473Z. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify the affected product deployments and review official advisories for mitigation guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-07T18:16:38.853Z and has not been modified since then.