CVE 9.3 CRITICAL

OpenBullet2 0.3.2 Authentication Bypass via X-Api-Key Header_CVE-2026-25555

June 8, 2026 invoker category_cve

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.

AI Analysis

Authentication bypass vulnerability in OpenBullet2 API key authentication middleware

Basic Information

ID CVE-2026-25555

Source VulnCheck

Published Jun 8, 2026 at 16:53

Affected Product

Vendor openbullet

Product openbullet2

Version 0.3.2

Affected Versions openbullet openbullet2 0

CWE Classification

CWE-305

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor OpenBullet

Product OpenBullet2

Version 0.3.2

References

{
    "lastseen": "",
    "description": "OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.",
    "published": "2026-06-08T16:53:37.270Z",
    "modified": "2026-06-08T16:53:37.270Z",
    "type": "cve",
    "title": "OpenBullet2 0.3.2 Authentication Bypass via X-Api-Key Header",
    "source": "VulnCheck",
    "references": "https://hackernoon.com/one-empty-header-to-admin-how-an-auth-bypass-breaks-openbullet2\nhttps://www.vulncheck.com/advisories/openbullet2-authentication-bypass-via-x-api-key-header",
    "id": "CVE-2026-25555",
    "bulletinFamily": "",
    "cwe": [
        "CWE-305"
    ],
    "cvelist": null,
    "sourceData": "openbullet openbullet2 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "openbullet2",
    "version": "0.3.2",
    "vendor": "openbullet",
    "ai_description": "Authentication bypass vulnerability in OpenBullet2 API key authentication middleware",
    "ai_severity": "Critical",
    "ai_vendor": "OpenBullet",
    "ai_product": "OpenBullet2",
    "ai_version": "0.3.2",
    "ai_score": 9.3
}

💭 Join the Security Discussion ❌ Cancel Reply