PatchSiren cyber security CVE debrief
CVE-2026-22680 Volcengine CVE debrief
CVE-2026-22680 is a missing authorization vulnerability in OpenViking versions prior to 0.3.3. The vulnerability allows unauthorized attackers to enumerate or retrieve background task metadata created by other users, potentially causing cross-tenant interference in multi-tenant deployments. This issue affects users of OpenViking and requires immediate attention to prevent exploitation.
- Vendor
- Volcengine
- Product
- OpenViking
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-07
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-04-07
- Advisory updated
- 2026-07-14
Who should care
Users of OpenViking versions prior to 0.3.3 should be aware of this vulnerability and take necessary actions to mitigate it. This includes operators, platform administrators, vulnerability management teams, and security teams who need to review and implement mitigations to prevent exploitation.
Technical summary
The vulnerability is caused by a missing authorization check in the task polling endpoints of OpenViking. This allows attackers to access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication, potentially causing cross-tenant interference in multi-tenant deployments. The issue can be mitigated by upgrading to version 0.3.3 or later and implementing proper authorization checks.
Defensive priority
Medium
Recommended defensive actions
- Upgrade OpenViking to version 0.3.3 or later
- Implement proper authorization checks for task polling endpoints
- Monitor for suspicious activity on task polling endpoints
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The vulnerability was reported by an unknown source and was analyzed by the NVD. The CVE record was published on 2026-04-07T18:16:38.853Z and was last modified on 2026-07-14T16:16:51.473Z. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify the affected product deployments and review official advisories for mitigation guidance.
Official resources
-
CVE-2026-22680 CVE record
CVE.org
-
CVE-2026-22680 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Issue Tracking, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-07T18:16:38.853Z and has not been modified since then.