CVE-2026-25555
9.8 CRITICALOpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows un...
Published: 2026-06-08 · Last updated: 2026-06-09
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-305
Description
OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-9798 — A flaw was found in Keycloak, an open-source identity and access management solution (4.3 MEDIUM)
- CVE-2026-41054 — In `src/havegecmd.c`, the `socket_handler` function performs a credential check on the abstract UNIX socket (`\0/sys/entropy/haveged`) (7.8 HIGH)
- CVE-2026-6334 — Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code red... (3.1 LOW)
- CVE-2026-2652 — A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is st... (8.6 HIGH)
- CVE-2026-3591 — A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0) (5.4 MEDIUM)