OpenBullet2 0.3.2 Authenticated RCE via Job Configuration Interface
CVE-2026-25856

8.7HIGH

Key Information:

Vendor: Openbullet
Status: Openbullet2
Vendor: CVE Published:; 8 June 2026

Badges

👾 Exploit Exists

What is CVE-2026-25856?

OpenBullet2 through version 0.3.2 contains an authenticated remote code execution vulnerability that allows authenticated users to execute arbitrary C# code on the server host by creating or modifying job configurations. Attackers can leverage the plain C# execution mode, which lacks reference filtering or API restrictions, to access the file system, spawn processes, and invoke arbitrary .NET APIs as the process user.

Affected Version(s)

openbullet2 0 <= 0.3.2

References

https://hackernoon.com/one-empty-header-to-admin-how-an-a...

technical-descriptionexploit

https://www.vulncheck.com/advisories/openbullet2-authenti...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 8, 2026
👾
Exploit known to exist
Jun 8, 2026
Vulnerability published
Jun 8, 2026
Vulnerability Reserved
Feb 6, 2026

Credit

Maksim Rogov

VulnCheck

CVE-2026-25856 Data

JSON

Openbullet

Badges

What is CVE-2026-25856?

Affected Version(s)

References

CVSS V4

Timeline

Credit