An authentication bypass in OpenBullet2 allows unauthenticated remote attackers to gain full administrative control over the application by manipulating API header values.

The vulnerability exists in the API key authentication middleware, which incorrectly compares a user-supplied empty X-Api-Key header against an empty default value. This allows unauthenticated users to gain administrative access to all API endpoints.

The CVSS score of 9.8 reflects the severity of an authentication bypass that grants administrative privileges. Exploitation allows attackers to take full control of the application, potentially leading to data exfiltration, service manipulation, and complete loss of system confidentiality and integrity.

Immediate Action: Update OpenBullet2 to a version greater than 0.3.2 immediately.

Proactive Monitoring: Audit API access logs for successful requests lacking valid X-Api-Key headers or identifying attempts to access administrative endpoints.

Compensating Controls: Restrict access to the API and administrative console to known, trusted IP ranges via firewall rules until the patch is applied.

Public Exploit Available: false

This vulnerability provides an trivial path to administrative access and must be addressed immediately. Organizations should update their installations and verify that no unauthorized API keys or administrative sessions have been established.