OpenViking Missing Authentication Vulnerability in Bot Proxy Router
Vulnerability
A missing authentication vulnerability has been identified in OpenViking versions 0.2.5 prior to 0.2.14. This vulnerability allows remote unauthenticated attackers to access protected bot proxy functionality by sending requests to the POST /bot/v1/chat and POST /bot/v1/chat/stream endpoints. Attackers can bypass authentication checks and interact directly with the upstream bot backend through the OpenViking proxy without valid credentials.
Impact
Exploitation of this vulnerability allows for unauthorized access to bot proxy functionalities, enabling interaction with the bot backend without authentication.
Reproduction
The vulnerability can be reproduced by sending a POST request to either the /bot/v1/chat or /bot/v1/chat/stream endpoints without including an authentication token. The request will be processed, and the bot backend can be accessed without valid credentials.
Remediation
Users are advised to update OpenViking to version 0.2.14 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.