OpenBullet2 contains an authentication bypass vulnerability in its API key middleware, allowing unauthenticated attackers to access the admin console...
Description
OpenBullet2 contains an authentication bypass vulnerability in its API key middleware, allowing unauthenticated attackers to access the admin console by providing an empty API key.
AI Analyst Comment
Remediation
Update OpenBullet2 through Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: OpenBullet2
PRODUCT: OpenBullet2
AFFECTED_VERSIONS: OpenBullet2 through version 0.3.2
---END_METADATA---
Description Summary:
OpenBullet2 contains an authentication bypass vulnerability in its API key middleware, allowing unauthenticated attackers to access the admin console by providing an empty API key.
Executive Summary:
An authentication bypass in OpenBullet2 allows unauthenticated remote attackers to gain full administrative control over the application by manipulating API header values.
Vulnerability Details
CVE-ID: CVE-2026-25555
Affected Software: OpenBullet2
Affected Versions: OpenBullet2 through version 0.3.2
Vulnerability: The vulnerability exists in the API key authentication middleware, which incorrectly compares a user-supplied empty
X-Api-Keyheader against an empty default value. This allows unauthenticated users to gain administrative access to all API endpoints.Business Impact
The CVSS score of 9.8 reflects the severity of an authentication bypass that grants administrative privileges. Exploitation allows attackers to take full control of the application, potentially leading to data exfiltration, service manipulation, and complete loss of system confidentiality and integrity.
Remediation Plan
Immediate Action: Update OpenBullet2 to a version greater than 0.3.2 immediately.
Proactive Monitoring: Audit API access logs for successful requests lacking valid
X-Api-Keyheaders or identifying attempts to access administrative endpoints.Compensating Controls: Restrict access to the API and administrative console to known, trusted IP ranges via firewall rules until the patch is applied.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Jun 8, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
This vulnerability provides an trivial path to administrative access and must be addressed immediately. Organizations should update their installations and verify that no unauthorized API keys or administrative sessions have been established.