Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-25555
PUBLISHED
More InfoOfficial Page
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
View Known Exploited Vulnerability (KEV) details
Published At-08 Jun, 2026 | 16:53
Updated At-08 Jun, 2026 | 17:50
Rejected At-
▼CVE Numbering Authority (CNA)
OpenBullet2 0.3.2 Authentication Bypass via X-Api-Key Header

OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.

Affected Products
Vendor
openbullet
Product
openbullet2
Repo
https://github.com/openbullet/openbullet2
Default Status
affected
Versions
Affected
  • From 0 through 0.3.2 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-305Authentication Bypass by Primary Weakness
Type: CWE
CWE ID: CWE-305
Description: Authentication Bypass by Primary Weakness
Metrics
VersionBase scoreBase severityVector
4.09.3CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 4.0
Base score: 9.3
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Maksim Rogov
finder
VulnCheck
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://hackernoon.com/one-empty-header-to-admin-how-an-auth-bypass-breaks-openbullet2
technical-description
exploit
https://www.vulncheck.com/advisories/openbullet2-authentication-bypass-via-x-api-key-header
third-party-advisory
Hyperlink: https://hackernoon.com/one-empty-header-to-admin-how-an-auth-bypass-breaks-openbullet2
Resource:
technical-description
exploit
Hyperlink: https://www.vulncheck.com/advisories/openbullet2-authentication-bypass-via-x-api-key-header
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found