Description
OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.
Published: 2026-06-08
Score: 9.3 Critical
EPSS: 1.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenBullet2 versions up to 0.3.2 contain a flaw in the API key authentication middleware that allows an unauthenticated attacker to supply an empty X-Api-Key header. Because the code compares the header value against a default empty AdminApiKey string, the request is treated as authenticated and grants full administrative access by bypassing credential checks. This weakness is a CWE‑305 instance where empty input is improperly handled, enabling an attacker to compromise the entire application without prior compromise.

Affected Systems

The affected application is OpenBullet2 built on the openbullet:openbullet2 code base. Versions 0.3.2 and any earlier releases are vulnerable and operators running these editions face the risk of full administrative takeover.

Risk and Exploitability

The flaw receives a CVSS critical impact. An EPSS score of 2% shows a low but measurableers need only send a request with an empty X-Api-Key header to the API, without any additional credentials or privileges. The vulnerability is not listed in CISA KEV, yet it provides total control of the system when successful.

Generated by OpenCVE AI on June 24, 2026 at 12:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest released version of OpenBullet2 that removes the empty X-Api-Key check; any release newer than 0.3.2 should provide the fix.
  • If an upgrade cannot be performed immediately, configure the application to disallow an empty AdminApiKey and enforce the presence of a non‑empty X-Api-Key header for all requests, rejecting any request that does not meet this requirement.
  • Restrict access to the admin console and all API endpoints that accept X-Api-Key headers to trusted or internal networks, or protect them behind a firewall or VPN.

Generated by OpenCVE AI on June 24, 2026 at 12:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Openbullet
Openbullet openbullet2
Vendors & Products Openbullet
Openbullet openbullet2

Mon, 08 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.
Title OpenBullet2 0.3.2 Authentication Bypass via X-Api-Key Header
Weaknesses CWE-305
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openbullet Openbullet2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-08T17:50:15.554Z

Reserved: 2026-02-02T20:12:33.395Z

Link: CVE-2026-25555

cve-icon Vulnrichment

Updated: 2026-06-08T17:50:10.917Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T17:16:41.080

Modified: 2026-06-09T13:51:18.770

Link: CVE-2026-25555

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:15:05Z

Weaknesses
  • CWE-305

    Authentication Bypass by Primary Weakness