Home

Description

OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.

PUBLISHED Reserved 2026-02-02 | Published 2026-06-08 | Updated 2026-06-08 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Authentication Bypass by Primary Weakness

Product status

Default status
affected

Any version
affected

Credits

Maksim Rogov finder

VulnCheck finder

References

hackernoon.com/...dmin-how-an-auth-bypass-breaks-openbullet2 technical-description exploit

www.vulncheck.com/...hentication-bypass-via-x-api-key-header third-party-advisory

cve.org (CVE-2026-25555)

nvd.nist.gov (CVE-2026-25555)

Download JSON