CVE-2026-25559: OpenBullet2 Path Traversal Remote Code Execution
OpenBullet2 versions up to 0.3.2 contain a critical file manipulation flaw that lets authenticated users read, write, and delete arbitrary files on the system. An attacker with valid credentials can exploit this to modify or delete system files, potentially gaining complete control of the host. The risk is particularly severe because OpenBullet2 typically runs with root privileges, meaning any file manipulation has system-wide impact.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-22
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-07-14
NVD description (verbatim)
OpenBullet2 through version 0.3.2 contains a path traversal vulnerability in the wordlist endpoint that allows authenticated attackers to perform arbitrary file read, write, and delete operations by supplying unsanitized absolute paths to the upload handler and wordlist functions. Attackers can chain the file write and delete primitives to achieve remote code execution by manipulating critical system files such as /etc/passwd, with full system impact since the application runs as root by default.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-25559 is a path traversal vulnerability (CWE-22) affecting OpenBullet2 through version 0.3.2. The vulnerability exists in the wordlist endpoint and upload handler, which fail to properly sanitize absolute paths supplied by authenticated users. This allows attackers to bypass directory restrictions and perform arbitrary file operations. The vulnerability can be chained—specifically, file write and delete primitives can be combined to modify critical system files such as /etc/passwd, achieving remote code execution when the application runs with elevated privileges.
Business impact
An authenticated attacker exploiting this vulnerability can achieve unrestricted system compromise. The combination of read, write, and delete capabilities, coupled with root-level execution, means an attacker could alter system configurations, inject malicious code, create backdoor accounts, or destroy audit logs and evidence. Organizations using OpenBullet2 in production face risk of unauthorized access, data theft, lateral movement to other systems, and operational disruption.
Affected systems
OpenBullet2 versions 0.3.2 and earlier are affected. The vulnerability requires authentication to trigger, so exposure is limited to authorized or compromised user accounts. Systems running OpenBullet2 with root or high-privilege accounts are at maximum risk. Verify your deployed version against the OpenBullet2 release history to confirm exposure.
Exploitability
Exploitation requires valid authentication credentials, which reduces the immediate risk from anonymous attackers. However, the attack surface is broad—any user with login access, including compromised credentials or insider threats, can leverage this flaw without special technical skill or user interaction. The CVSS 3.1 score of 8.8 (HIGH) reflects the high confidentiality, integrity, and availability impact offset only by the authentication requirement.
Remediation
Upgrade OpenBullet2 to a patched version that properly validates and sanitizes file paths in the wordlist endpoint and upload handler. Check the official OpenBullet2 repository or vendor advisory for the minimum secure version. In the interim, restrict network access to the OpenBullet2 service to trusted hosts only, enforce strong authentication controls, and run the application with the minimum necessary privilege level (avoid root execution whenever possible).
Patch guidance
Consult the official OpenBullet2 project repository or advisory for confirmed patch versions that address path traversal in the wordlist endpoint. Apply patches to all instances of OpenBullet2 in your environment, including development, testing, and production. After patching, verify that the upload and wordlist functions reject or safely handle absolute paths. Consider running the application with a dedicated non-root service account to limit impact if other vulnerabilities emerge.
Detection guidance
Monitor application logs for unusual file operations, especially attempts to access or modify files outside the intended wordlist directory. Look for requests to the wordlist endpoint containing path traversal indicators such as `../`, absolute paths (starting with `/`), or encoded equivalents. Set up alerting on failed authentication attempts followed by successful logins, which may indicate credential compromise. Network-based detection should flag requests with suspicious file paths in POST/upload parameters.
Why prioritize this
This vulnerability merits urgent patching because it enables complete system compromise when chained with root execution. The authentication requirement provides some defense, but a single compromised or malicious user account leads to unrestricted file system access and code execution. Organizations should treat this as a critical priority in systems managing sensitive data or running in production environments.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects the combination of network-accessible endpoint (AV:N), low attack complexity (AC:L), high impact to confidentiality, integrity, and availability (C:H/I:H/A:H), and unchanged scope (S:U). The score is High rather than Critical solely because the flaw requires prior authentication (PR:L). In practical terms, the ability to chain file write and delete to achieve RCE as root elevates actual risk significantly.
Frequently asked questions
Does this vulnerability affect unauthenticated users?
No. The path traversal requires valid authentication credentials. However, any valid user account—whether legitimate, compromised, or insider—can exploit the flaw. Organizations should audit user access and enforce strong credential hygiene.
What is the difference between file write and RCE in this context?
File write allows an attacker to create or modify files on disk. When chained with file delete and executed as root, an attacker can overwrite critical system files (like /etc/passwd or cron jobs) to execute arbitrary commands, achieving remote code execution. This escalation is what elevates the vulnerability from data tampering to full system compromise.
Can we mitigate this by running OpenBullet2 as a non-root user?
Running as a non-root user significantly limits damage—the attacker would only be able to read, write, and delete files the application user can access, rather than system-critical files. This is a strong defensive measure while you prepare to patch, but it does not eliminate the vulnerability itself.
What does 'CWE-22' mean?
CWE-22 is Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). It describes the root cause: the application fails to validate and restrict file paths, allowing attackers to escape intended directory boundaries and access arbitrary locations in the file system.
This analysis is based on the CVE-2026-25559 public record as of the modification date (2026-07-14). Verify patch availability and version numbers directly with the OpenBullet2 project or official security advisories before deploying fixes. SEC.co does not provide or endorse exploit code or weaponized proof-of-concepts. Organizations should conduct their own risk assessment based on their specific deployment, authentication model, and network architecture. This information is provided for defensive security purposes only. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2017-20248HIGHApptha Slider Gallery Path Traversal Vulnerability
- CVE-2017-20250HIGHMac Photo Gallery 3.0 Path Traversal File Download Vulnerability
- CVE-2018-25408HIGHOpen ISES Project Path Traversal Vulnerability (High Severity)
- CVE-2024-40646HIGHVertex Path Traversal Vulnerability – Remote File Access Risk
- CVE-2026-10108HIGHUnauthenticated Path Traversal in xiaomusic v0.5.7 – File Read Vulnerability
- CVE-2026-11416HIGHMoviePilot Path Traversal in Cloud Storage Download Handlers
- CVE-2026-11419HIGHAltium Enterprise Server Path Traversal – Arbitrary File Write
- CVE-2026-22926HIGHOmnissa Workspace ONE Assist macOS Local Privilege Escalation