OpenViking Broken Access Control Vulnerability Allowing Anonymous ROOT Access

A broken access control vulnerability has been identified in OpenViking versions through 0.1.18, prior to commit 0251c70. When the root_api_key configuration is omitted, unauthenticated attackers can gain ROOT privileges. This allows them to send requests to protected endpoints without authentication headers, accessing administrative functions such as account management, resource operations, and system configuration.

Impact

Exploitation of this vulnerability allows for unauthorized access to ROOT privileges, enabling administrative actions to be performed without authentication.

Reproduction

To reproduce this vulnerability, configure the OpenViking server without a root_api_key and bind it to a non-loopback address. Start the server and then send requests to protected endpoints, such as those under /api/v1/admin/ or /api/v1/system/status, without any authentication headers. The requests will be processed as if they were sent by a ROOT user, bypassing authentication and authorization checks.

Remediation

Users should ensure that the root_api_key is configured before starting the server, and bind the server to localhost if the root_api_key is not set. The OpenViking documentation has been updated to reflect these requirements.