cbcvebase.
CVE-2026-25555
published 2026-06-08

CVE-2026-25555: OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated…

PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.51%
71.2th percentile
OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.

Affected

1 ranges
VendorProductVersion rangeFixed in
openbulletopenbullet2<= 0.3.2

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/info/server
otherX-Api-Key: (empty)
  • Detect authentication bypass attempts by monitoring HTTP requests to OpenBullet2 API endpoints that include an empty X-Api-Key header value.
  • Alert on HTTP 200 responses to /api/v1/info/server (or other admin API endpoints) where the request carried an empty X-Api-Key header, indicating a successful bypass.
  • Use FOFA/Shodan fingerprint 'title="Openbullet2WebClient"' to identify exposed OpenBullet2 instances that may be vulnerable.
  • The exploit succeeds because the middleware compares the supplied empty header against an empty AdminApiKey default string — flag any deployment where AdminApiKey is unset/empty.
  • ·The vulnerability only exists when AdminApiKey is left at its empty default value. Instances with a non-empty AdminApiKey configured are not exploitable via this bypass.
  • ·Affected versions are OpenBullet2 0.3.2 and below; the Nuclei template is marked 'verified: false', so detections should be validated in a controlled environment before production deployment.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.