CVE-2026-25555

Source
https://cve.org/CVERecord?id=CVE-2026-25555
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25555.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-25555
Published
2026-06-08T16:53:37.270Z
Modified
2026-07-08T08:09:14.795760310Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenBullet2 0.3.2 Authentication Bypass via X-Api-Key Header
Details

OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.

Database specific
{
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-305"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25555.json"
}
References

Affected packages

Git / github.com/openbullet/openbullet2

Affected ranges

Type
GIT
Repo
https://github.com/openbullet/openbullet2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.3.2"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*
0.1.0
0.1.1
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.1.17
0.1.18
0.1.19
0.1.2
0.1.20
0.1.21
0.1.22
0.1.23
0.1.24
0.1.25
0.1.26
0.1.27
0.1.28
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.3.0
0.3.0.2586
0.3.1
0.3.1.2631
0.3.1.2637
0.3.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25555.json"