CVE-2026-40525 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: April 17, 2026
OpenViking - Authentication Bypass
Overview
OpenViking prior to commit c7bb167 contains an authentication bypass caused by missing or empty api_key configuration in VikingBot OpenAPI HTTP routes, letting remote attackers invoke privileged bot-control functions without valid credentials.
Severity & Score
Impact
Remote attackers can bypass authentication to control bot functions and access sensitive data, risking full system compromise.
Mitigation
Update to the version including commit c7bb167 or later.
References
Social Media Activity(2 posts)
š“ CVE-2026-40525 - Critical (9.1) OpenViking prior to commit c7bb167 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. Remote attackers with... š https://www.thehackerwire.com/vulnerability/CVE-2026-40525/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-40525 - Critical (9.1) OpenViking prior to commit c7bb167 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the api_key configuration value is unset or empty. Remote attackers with... š https://www.thehackerwire.com/vulnerability/CVE-2026-40525/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-40525
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- broken_authentication
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-636
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N