EUVD-2026-35138
GHSA-54jj-4v6g-j34h
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.
AnalysisAI
Authentication bypass in OpenBullet2 through 0.3.2 lets unauthenticated remote attackers obtain full admin access by sending an empty X-Api-Key HTTP header, because the API key middleware compares the submitted value against a default empty AdminApiKey string. With CVSS 4.0 score 9.3, publicly available exploit code, and a writeup from VulnCheck/Hackernoon, this is a trivially exploitable flaw exposing the admin console and every API endpoint of any internet-reachable deployment running default configuration.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the OpenBullet2 instance be running a version up to 0.3.2 with the AdminApiKey configuration value left at its empty default - which is the shipped default state - and the API/admin endpoints reachable over the network from the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Every available signal points to high real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers an internet-exposed OpenBullet2 instance via Shodan or similar and sends a single HTTP request to an admin API endpoint with the header 'X-Api-Key:' set to an empty value, which the middleware accepts as a valid admin credential. The attacker is dropped straight into the admin console and every API endpoint, where they can exfiltrate stored configs/wordlists/proxies, launch credential-stuffing jobs from the compromised host, or pivot further. … |
| Remediation | No vendor-released patch identified at time of analysis - the input lists OpenBullet2 as affected through 0.3.2 with no fixed version disclosed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all OpenBullet2 instances running version 0.3.2 or earlier; immediately remove internet-facing access and isolate from external networks; begin comprehensive monitoring of admin console and API access logs for suspicious activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today