How is CVE-2026-25855 exploited?

Network reachability (required): The attacker must reach the OpenBullet2 service over the network; the vulnerable endpoint is exposed via its standard web interface. Authentication (required): Any low-privilege account is sufficient; no elevated or administrative credentials are needed to reach the FileProxySource upload feature. Victim interaction (not-required): No victim action is needed; the attacker submits the malicious script directly and the server executes it without any user involvement. Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions, memory layout dependencies, or other environmental factors required.

What is the impact of CVE-2026-25855?

The attacker executes arbitrary OS commands on the host as the process user running OpenBullet2. The attacker reads files and environment variables accessible to the process user, including credentials, configuration files, and API keys stored on disk. The attacker modifies or deletes files within the reach of the process user, including application data and proxy configuration. The attacker can disrupt the availability of the OpenBullet2 service by terminating processes or corrupting application state.

Back to search

HIGHCVE-2026-25855Published 2026-06-08Modified 2026-06-08CNA VulnCheck

CVE-2026-25855: OpenBullet2 0.3.2 Authenticated RCE via FileProxySource Script Upload

OpenBullet2 through version 0.3.2 contains a remote code execution vulnerability that allows authenticated users to execute arbitrary commands by uploading script files (.bat.ps1.sh) through the FileProxySource proxy loading feature. Attackers can upload malicious script files as proxy sources, causing the server to execute the scripts and return output as proxy lines, resulting in arbitrary command execution on the host as the process user.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Remote code execution vulnerability in OpenBullet2 versions through 0.3.2, reachable over the network by any authenticated user. An attacker with a low-privilege account can upload a malicious script file (.bat, .ps1, or .sh) through the FileProxySource proxy loading feature, causing the server to execute the script and return output as proxy lines. Successful exploitation gives the attacker arbitrary command execution on the host as the process user. No fix versions have been published; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-25855 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built ones, in connected registries and CI/CD pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS v4.0 8.7 (HIGH) and weighting it against each environment's compliance policy to route alerts to the appropriate team inbox within the customer organization.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream ships a remediated release. In the meantime, customers can apply compensating controls through HarborGuard's policy engine to flag or block affected image deployments.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the OpenBullet2 service over the network; the vulnerable endpoint is exposed via its standard web interface.
AuthenticationRequired
Any low-privilege account is sufficient; no elevated or administrative credentials are needed to reach the FileProxySource upload feature.
Victim interactionNot required
No victim action is needed; the attacker submits the malicious script directly and the server executes it without any user involvement.
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions, memory layout dependencies, or other environmental factors required.

Blast Radius

The attacker executes arbitrary OS commands on the host as the process user running OpenBullet2.
The attacker reads files and environment variables accessible to the process user, including credentials, configuration files, and API keys stored on disk.
The attacker modifies or deletes files within the reach of the process user, including application data and proxy configuration.
The attacker can disrupt the availability of the OpenBullet2 service by terminating processes or corrupting application state.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-25855 is active for all connected image registries and build pipelines, with severity scored at CVSS v4.0 8.7 (HIGH). Because no upstream patch exists as of the CVE publication date, HarborGuard monitors the advisory on every ingest cycle and will automatically trigger a patched-image rebuild the moment a fix version is published upstream. For customers who opt into auto-remediation, that rebuild will be followed by a regression test run and a PR opened against affected workloads. While no patch is available, recommended compensating controls include restricting network access to the OpenBullet2 interface via network policy (limiting which users or service accounts can reach the upload endpoint), enforcing the principle of least privilege on the process user running OpenBullet2, and auditing the FileProxySource feature's usage through application logs. Where compliance policy permits, HarborGuard can gate deployment of images running the affected version until a fix is confirmed.

See how HarborGuard automates this

Affected packages

openbullet / openbullet2
≤ 0.3.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified