CVE-2026-25555
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware. Attackers can gain admin access by supplying an empty X-Api-Key header value.
Risk Assessment
This vulnerability allows unauthenticated attackers to access all API endpoints and the admin console, posing a serious security threat to the system.
Recommendation
It is recommended to update OpenBullet2 to the latest version and implement additional security measures to prevent access without valid credentials.
Original NVD description (English source)
OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.

