Home

Description

OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job starts, the application attempts to load proxies from the UNC path, triggering an SMB authentication attempt that discloses the NTLMv2 hash, which can then be relayed or cracked offline.

PUBLISHED Reserved 2026-04-07 | Published 2026-06-08 | Updated 2026-06-08 | Assigner VulnCheck




HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

Insufficiently Protected Credentials

Product status

Default status
affected

Any version
affected

Credits

Maksim Rogov finder

VulnCheck finder

References

hackernoon.com/...dmin-how-an-auth-bypass-breaks-openbullet2 technical-description exploit

www.vulncheck.com/...sh-disclosure-via-unc-path-proxy-source third-party-advisory

cve.org (CVE-2026-39908)

nvd.nist.gov (CVE-2026-39908)

Download JSON