{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-25555: OpenBullet2 0.3.2 Authentication Bypass via X-Api-Key Header","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-25555","status":"final","version":"1","initial_release_date":"2026-06-08T16:53:37.270Z","current_release_date":"2026-06-08T17:50:15.554Z","revision_history":[{"date":"2026-06-08T16:53:37.270Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-25555 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-25555"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-25555"},{"category":"external","summary":"hackernoon.com","url":"https://hackernoon.com/one-empty-header-to-admin-how-an-auth-bypass-breaks-openbullet2"},{"category":"external","summary":"vulncheck.com","url":"https://www.vulncheck.com/advisories/openbullet2-authentication-bypass-via-x-api-key-header"}]},"product_tree":{"branches":[{"category":"vendor","name":"openbullet","branches":[{"category":"product_name","name":"openbullet2","branches":[{"category":"product_version_range","name":"<=0.3.2","product":{"name":"openbullet openbullet2 <=0.3.2","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:openbullet:openbullet2:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-25555","title":"OpenBullet2 0.3.2 Authentication Bypass via X-Api-Key Header","notes":[{"category":"description","text":"OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","baseScore":9.3,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}