A critical authentication bypass in OpenBullet2 lets unauthenticated attackers gain full admin access simply by sending an empty X-Api-Key header.
What Is It
CVE-2026-25555 is an authentication bypass vulnerability in the API key authentication middleware of OpenBullet2 through version 0.3.2. The middleware compares the value supplied in the X-Api-Key header against the default AdminApiKey, which ships as an empty string. By sending an empty X-Api-Key header value, an unauthenticated attacker satisfies that comparison and is granted admin access without any valid credentials. The flaw is classified as CWE-305 (Authentication Bypass by Primary Weakness).
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 9.8 (CRITICAL) and a CVSS 4.0 score of 9.3 (CRITICAL). It is exploitable over the network with low attack complexity, requires no privileges, and needs no user interaction. A successful exploit grants high impact to confidentiality, integrity, and availability; meaning an attacker can reach the admin console and every API endpoint. Because the trigger is a single empty header, exploitation is trivial and requires no special tooling.
What's Vulnerable
OpenBullet2 through version 0.3.2 is affected. Any deployment exposing the API or admin console reachable over the network is at risk, since the default AdminApiKey is an empty string that the middleware will match against an empty supplied header.
Patch Status
The supplied source material does not include a CISA KEV entry, so there is no confirmation of active exploitation in the wild and no federally mandated remediation deadline in the provided data. No specific fixed version or required-action guidance is present in the supplied NVD record. Organizations running OpenBullet2 0.3.2 or earlier should treat this as critical and consult the vendor advisory below for remediation details.