CVE-2026-25555
published 2026-06-08CVE-2026-25555: OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated…
PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.51%
71.2th percentile
OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openbullet | openbullet2 | <= 0.3.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect authentication bypass attempts by monitoring HTTP requests to OpenBullet2 API endpoints that include an empty X-Api-Key header value. ↗
- →Alert on HTTP 200 responses to /api/v1/info/server (or other admin API endpoints) where the request carried an empty X-Api-Key header, indicating a successful bypass. ↗
- →Use FOFA/Shodan fingerprint 'title="Openbullet2WebClient"' to identify exposed OpenBullet2 instances that may be vulnerable. ↗
- →The exploit succeeds because the middleware compares the supplied empty header against an empty AdminApiKey default string — flag any deployment where AdminApiKey is unset/empty. ↗
- ·The vulnerability only exists when AdminApiKey is left at its empty default value. Instances with a non-empty AdminApiKey configured are not exploitable via this bypass. ↗
- ·Affected versions are OpenBullet2 0.3.2 and below; the Nuclei template is marked 'verified: false', so detections should be validated in a controlled environment before production deployment. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an em
ghsa_unreviewed·2026-06-08
CVE-2026-25555 [CRITICAL] CWE-305 OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an em
OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.
VulDB
openbullet2 up to 0.3. API Endpoint authentication bypass (EUVD-2026-35138)
vuldb·2026-06-08·CVSS 9.8
CVE-2026-25555 [CRITICAL] openbullet2 up to 0.3. API Endpoint authentication bypass (EUVD-2026-35138)
A vulnerability classified as critical has been found in openbullet2 up to 0.3.. The impacted element is an unknown function of the component API Endpoint. This manipulation causes authentication bypass by primary weakness.
This vulnerability is tracked as CVE-2026-25555. The attack is possible to be carried out remotely. No exploit exists.
No detection rules found.
Nuclei
OpenBullet2 <= 0.3.2 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2026-25555 [CRITICAL] OpenBullet2 <= 0.3.2 - Authentication Bypass
OpenBullet2 <= 0.3.2 - Authentication Bypass
OpenBullet2 <= 0.3.2 contains an authentication bypass caused by improper API key authentication middleware handling empty X-Api-Key header, letting unauthenticated attackers gain admin access, exploit requires sending empty X-Api-Key header.
Template:
id: CVE-2026-25555
info:
name: OpenBullet2 <= 0.3.2 - Authentication Bypass
author: 0x_Akoko
severity: critical
description: |
OpenBullet2 <= 0.3.2 contains an authentication bypass caused by improper API key authentication middleware handling empty X-Api-Key header, letting unauthenticated attackers gain admin access, exploit requires sending empty X-Api-Key header.
impact: |
Unauthenticated attackers can gain full admin access, compromising the entire system and API endpoints.
remediation: |
No writeups or analysis indexed.
2026-06-08
Published