What is CVE-2026-34999?

CVE-2026-34999 is a medium-severity vulnerability in Volcengine Openviking, classified under Missing Authentication for Critical Function. CVSS score: 5.3/10. Published 2026-04-01.

How severe is CVE-2026-34999?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Auth bypass in Volcengine Openviking

CVE-2026-34999

OpenViking versions 0.2.5 prior to 0.2.14 contain a missing authentication vulnerability in the bot proxy router that allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/…

Vulnerability class: Broken Authentication

EPSS: 0.001 (25.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Affected products

Volcengine Openviking — versions 0.2.5, 27acda8d1701ff68423fbd6c902208e3c1ed9373

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

github.com/volcengine/OpenViking/releases/tag/v0.2.14 (release-notes)
github.com/volcengine/OpenViking/pull/996 (issue-tracking)
github.com/volcengine/OpenViking/commit/27acda8d1701ff68423fbd6c902208e3c1ed9373 (patch)
www.vulncheck.com/advisories/openviking-bot-proxy-endpoints-allow-unauthenticat… (third-party-advisory)

Frequently asked questions

What is CVE-2026-34999?: CVE-2026-34999 is a medium-severity vulnerability in Volcengine Openviking, classified under Missing Authentication for Critical Function. CVSS score: 5.3/10. Published 2026-04-01.
How severe is CVE-2026-34999?: Medium severity. CVSS v3 base score is 5.3 out of 10.