HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-25856Published Modified CNA VulnCheck

CVE-2026-25856: OpenBullet2 0.3.2 Authenticated RCE via Job Configuration Interface

OpenBullet2 through version 0.3.2 contains an authenticated remote code execution vulnerability that allows authenticated users to execute arbitrary C# code on the server host by creating or modifying job configurations. Attackers can leverage the plain C# execution mode, which lacks reference filtering or API restrictions, to access the file system, spawn processes, and invoke arbitrary .NET APIs as the process user.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Authenticated remote code execution (RCE) affects OpenBullet2 versions through 0.3.2. The vulnerability is reachable over the network by any authenticated user and requires no special privileges beyond a valid account; the job configuration interface accepts raw C# code and executes it on the server without filtering or API restrictions. Successful exploitation gives the attacker arbitrary code execution on the host as the process user, enabling full file system access, process spawning, and unrestricted .NET API calls. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle OpenBullet2. Coverage extends to any image layer where the affected package is present, regardless of base image origin.

Available
Triage

HarborGuard scores this finding at CVSS 8.7 (HIGH) using the published v4.0 vector and applies per-environment compliance policy weighting to prioritize routing. Triage alerts are delivered to the inbox or ticketing integration configured for each customer org, so the right team sees the finding without manual triage queuing.

Available
Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a corrected release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without requiring manual intervention once a fix version is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable job configuration interface is exposed over the network, so an attacker must be able to reach the OpenBullet2 service via HTTP/HTTPS.

  • AuthenticationRequired

    A valid account is required, but any low-privilege user account is sufficient; no administrative role is needed to create or modify job configurations.

  • Victim interactionNot required

    The attacker submits a malicious job configuration directly; no action by another user or administrator is needed to trigger execution.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race condition, memory layout dependency, or environmental prerequisite stands between authentication and code execution.

Blast Radius

  • The attacker executes arbitrary C# code on the server as the process user, gaining full control of the running application process.
  • The attacker reads, writes, or deletes files anywhere on the host file system that the process user can access, including credentials, configuration files, and stored data.
  • The attacker spawns arbitrary child processes on the host, enabling lateral movement, persistence mechanisms, or secondary payload deployment.
  • The attacker invokes unrestricted .NET APIs, allowing exfiltration of environment variables, secrets injected at container runtime, and any in-memory application state.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-25856 has been published as of the CVE record date, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment OpenBullet2 ships a remediated release. For customers with auto-remediation enabled, that event triggers an immediate rebuild, regression test run, and PR opened against affected workloads without manual steps. In the interim, recommended compensating controls include applying network policy to restrict access to the OpenBullet2 service to known, trusted IP ranges; enforcing strict account creation controls to limit who can obtain credentials; and, where compliance policy permits, using egress filtering to block outbound connections from the container to reduce the blast radius of in-process code execution. HarborGuard will re-evaluate triage priority if the upstream maintainer publishes severity updates or a workaround advisory.

See how HarborGuard automates this
Affected packages
  • openbullet / openbullet2
    ≤ 0.3.2
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References