CVE-2026-25555 CRITICAL

CVE-2026-25555: OpenBullet2 0.3.2 Authentication Bypass via X-Api-Key Header

Vendor Openbullet
Product openbullet2
Weakness CWE-305
Published June 8, 2026
Last update June 8, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.

Key dates

02Disclosure timeline

June 8, 2026 CVE published
June 8, 2026 Record updated