OpenBullet2 0.3.2 NTLMv2 Hash Disclosure via UNC Path Proxy Source

7.1 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job starts, the application attempts to load proxies from the UNC path, triggering an SMB authentication attempt that discloses the NTLMv2 hash, which can then be relayed or cracked offline.

Basic Information

ID CVE-2026-39908

Source VulnCheck

Published Jun 8, 2026 at 16:47

Modified Jun 8, 2026 at 16:51

Affected Product

Vendor openbullet

Product openbullet2

Affected Versions openbullet openbullet2 0

CWE Classification

CWE-522

References

{
    "lastseen": "",
    "description": "OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job starts, the application attempts to load proxies from the UNC path, triggering an SMB authentication attempt that discloses the NTLMv2 hash, which can then be relayed or cracked offline.",
    "published": "2026-06-08T16:47:18.702Z",
    "modified": "2026-06-08T16:51:05.991Z",
    "type": "cve",
    "title": "OpenBullet2 0.3.2 NTLMv2 Hash Disclosure via UNC Path Proxy Source",
    "source": "VulnCheck",
    "references": "https://hackernoon.com/one-empty-header-to-admin-how-an-auth-bypass-breaks-openbullet2\nhttps://www.vulncheck.com/advisories/openbullet2-ntlmv2-hash-disclosure-via-unc-path-proxy-source",
    "id": "CVE-2026-39908",
    "bulletinFamily": "",
    "cwe": [
        "CWE-522"
    ],
    "cvelist": null,
    "sourceData": "openbullet openbullet2 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "openbullet2",
    "version": "0",
    "vendor": "openbullet",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

OpenBullet2 0.3.2 NTLMv2 Hash Disclosure via UNC Path Proxy Source_CVE-2026-39908