CVE-2026-25555

Vulnerability

OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware. This vulnerability allows unauthenticated attackers to gain administrative access by supplying an empty X-Api-Key header value. The issue arises from the middleware's comparison of the supplied header against an empty AdminApiKey default string [1].

Exploitation

An attacker can exploit this vulnerability by sending a request to the OpenBullet2 API with an empty X-Api-Key header. This bypasses the authentication mechanism, allowing the attacker to access the admin console and all API endpoints without needing valid credentials [1].

Impact

Successful exploitation grants an unauthenticated attacker administrative access to the OpenBullet2 application. This includes access to the admin console and all API endpoints, potentially allowing for full control over the application and any associated functionalities or data [1].

Mitigation

OpenBullet2 versions 0.3.2 and earlier are affected. A patched version is expected, but no specific fixed version or release date is currently available in the provided references. Users are advised to update to a patched version once it becomes available. No workarounds are disclosed in the available references [1].