CVE-2026-25555

Published: Giu 08, 2026 Last Modified: Giu 08, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

CRITICAL 9,8

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials.

305

Authentication Bypass by Primary Weakness

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control

Potential Impacts:

Bypass Protection Mechanism

Applicable Platforms

All platforms may be affected

View CWE Details

https://hackernoon.com/one-empty-header-to-admin-how-an-aut…

https://hackernoon.com/one-empty-header-to-admin-how-an-auth-bypass-breaks-open…

https://www.vulncheck.com/advisories/openbullet2-authentica…

https://www.vulncheck.com/advisories/openbullet2-authentication-bypass-via-x-ap…

CVE-2026-25555

Description

Authentication Bypass by Primary Weakness

Common Consequences

Applicable Platforms

Iscriviti alla newsletter