HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-25559Published Modified CNA VulnCheck

CVE-2026-25559: OpenBullet2 0.3.2 Path Traversal via Wordlist Endpoint

OpenBullet2 through version 0.3.2 contains a path traversal vulnerability in the wordlist endpoint that allows authenticated attackers to perform arbitrary file read, write, and delete operations by supplying unsanitized absolute paths to the upload handler and wordlist functions. Attackers can chain the file write and delete primitives to achieve remote code execution by manipulating critical system files such as /etc/passwd, with full system impact since the application runs as root by default.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path traversal vulnerability in OpenBullet2 version 0.3.2 and earlier allows an authenticated attacker to read, write, and delete arbitrary files on the host by supplying unsanitized absolute paths to the wordlist endpoint. The vulnerability is reachable over the network and requires only a low-privilege account. By chaining the write and delete primitives against critical system files such as /etc/passwd, an attacker achieves remote code execution, with full system compromise made easier because the application runs as root by default. No fix versions have been published; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-25559 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from OpenBullet2 base layers. Any image containing an affected version of openbullet2 (0.3.2 and earlier) is flagged automatically.

Available
Triage

HarborGuard can surface this finding with its CVSS v4.0 score of 8.7 (HIGH) and apply each customer organization's compliance policy weighting to prioritize it relative to other open findings. Triage routing is available to direct the alert to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

Because no upstream fix has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated version is released by the OpenBullet2 project. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The wordlist endpoint is exposed over the network, so an attacker must be able to reach the OpenBullet2 service via HTTP/HTTPS.

  • AuthenticationRequired

    A valid account is needed to reach the vulnerable endpoint, though any low-privilege account is sufficient to trigger the path traversal.

  • Victim interactionNot required

    The attacker sends crafted requests directly to the API; no action from another user is needed.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions or specific memory layout requirements are involved.

Blast Radius

  • An attacker reads arbitrary files from the host filesystem, including credentials, private keys, and application secrets.
  • An attacker writes arbitrary content to any file reachable by the process, enabling modification of /etc/passwd or other critical system files.
  • An attacker deletes arbitrary files, disrupting or destroying running services and persistent data.
  • Because the application runs as root by default, any of these primitives extend to full system compromise, including remote code execution via crafted file manipulation.

How HarborGuard Handles This

Available on HarborGuard: detection of this vulnerability is active for all images containing openbullet2 0.3.2 or earlier, with findings scored at CVSS v4.0 8.7 (HIGH) and routed per each organization's compliance policy. Because no upstream patch exists as of the CVE publication date (2026-06-08), HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment OpenBullet2 ships a fix. In the interim, compensating controls worth evaluating include network-policy rules that restrict access to the OpenBullet2 service to trusted source IPs only, read-only filesystem mounts where the application's write access is not needed for core functionality, and running the container as a non-root user via a securityContext override to limit the blast radius of the file write and delete primitives. For customers who opt into auto-remediation, once a fix version is published the full rebuild, regression test run, and PR-opening flow will execute without manual steps.

See how HarborGuard automates this
Affected packages
  • openbullet / openbullet2
    ≤ 0.3.2
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References