CVE-2026-25555NVD

Vulnerability Summary

OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.

Severity Level

CRITICAL(9.8)

Published Date

Jun 8, 2026

Last Modified

Jun 8, 2026

Exploitation Status

????

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

N/A

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

External References

https://hackernoon.com/one-empty-header-to-admin-how-an-auth-bypass-breaks-openbullet2
https://www.vulncheck.com/advisories/openbullet2-authentication-bypass-via-x-api-key-header

Critical Alert

CVE Watchtower

CVE-2026-25555NVD

Vulnerability Summary

External References