How is CVE-2026-39908 exploited?

Network reachability (required): The attacker must be able to reach the OpenBullet2 instance over the network to configure the malicious proxy source, as the attack vector is network-based (AV:N). Authentication (required): A low-privilege account is sufficient; the attacker must be authenticated to the application to configure job proxy sources (PR:L). Victim interaction (not-required): No victim interaction is needed; once the malicious proxy source is saved, the next job start triggers the SMB authentication attempt automatically (UI:N). Attack complexity (info): Exploit conditions are straightforward and reliable with no race conditions or special environmental dependencies required (AC:L).

What is the impact of CVE-2026-39908?

The NTLMv2 hash of the OS user account running the OpenBullet2 process is exposed to the attacker-controlled server. An attacker can attempt to crack the captured hash offline to recover the plaintext password of that Windows account. The hash can be relayed using standard NTLM relay techniques to authenticate against other Windows services in the same network, such as SMB shares or internal web applications. Confidentiality of the process user credential is fully compromised (VC:H); integrity and availability of the host are not directly affected by this specific vector.

Back to search

HIGHCVE-2026-39908Published 2026-06-08Modified 2026-06-08CNA VulnCheck

CVE-2026-39908: OpenBullet2 0.3.2 NTLMv2 Hash Disclosure via UNC Path Proxy Source

OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job starts, the application attempts to load proxies from the UNC path, triggering an SMB authentication attempt that discloses the NTLMv2 hash, which can then be relayed or cracked offline.

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a credential disclosure vulnerability in OpenBullet2 version 0.3.2 and earlier on Windows. An attacker with a low-privilege account can configure a job proxy source to point at a UNC path on an attacker-controlled server; when the job runs, the application triggers an SMB authentication attempt that leaks the NTLMv2 hash of the process user. The captured hash can be cracked offline or relayed to authenticate against other services in the environment. No fix version has been published; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images containing OpenBullet2, as they flow through registries and CI pipelines.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.1 (High) and weighting it against each environment's compliance policy to determine urgency; triage routing to the appropriate team inbox inside each customer org is available as part of the standard policy engine.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated release appears. In the meantime, the finding remains open and visible in each environment's vulnerability queue.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the OpenBullet2 instance over the network to configure the malicious proxy source, as the attack vector is network-based (AV:N).
AuthenticationRequired
A low-privilege account is sufficient; the attacker must be authenticated to the application to configure job proxy sources (PR:L).
Victim interactionNot required
No victim interaction is needed; once the malicious proxy source is saved, the next job start triggers the SMB authentication attempt automatically (UI:N).
Attack complexityDetail
Exploit conditions are straightforward and reliable with no race conditions or special environmental dependencies required (AC:L).

Blast Radius

The NTLMv2 hash of the OS user account running the OpenBullet2 process is exposed to the attacker-controlled server.
An attacker can attempt to crack the captured hash offline to recover the plaintext password of that Windows account.
The hash can be relayed using standard NTLM relay techniques to authenticate against other Windows services in the same network, such as SMB shares or internal web applications.
Confidentiality of the process user credential is fully compromised (VC:H); integrity and availability of the host are not directly affected by this specific vector.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-39908, HarborGuard continuously monitors the advisory and will surface a patched-image rebuild as soon as OpenBullet2 publishes a remediated version. For environments that have auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated automatically at that point. While waiting for an upstream patch, consider the following compensating controls where compliance policy permits: apply network-policy rules to block outbound SMB traffic (TCP 445) from containers running OpenBullet2, preventing the UNC-path authentication attempt from reaching attacker-controlled infrastructure; restrict the ability to configure proxy sources to the minimum necessary set of user accounts; and run the OpenBullet2 process under a dedicated low-privilege service account so that any disclosed hash has minimal lateral-movement value. The finding will remain flagged in each environment's vulnerability queue until a fix version is confirmed ingested.

See how HarborGuard automates this

Affected packages

openbullet / openbullet2
≤ 0.3.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified