HIGH 8.8

CVE-2026-25856: OpenBullet2 Authenticated Remote Code Execution Vulnerability

OpenBullet2 through version 0.3.2 allows authenticated users to execute arbitrary code on the hosting server. An attacker with valid credentials can modify job configurations to inject and run C# code, gaining the ability to read files, launch programs, and call any .NET function available to the application process. This is a post-authentication vulnerability, meaning the attacker must already have login access.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-94
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-07-14

NVD description (verbatim)

OpenBullet2 through version 0.3.2 contains an authenticated remote code execution vulnerability that allows authenticated users to execute arbitrary C# code on the server host by creating or modifying job configurations. Attackers can leverage the plain C# execution mode, which lacks reference filtering or API restrictions, to access the file system, spawn processes, and invoke arbitrary .NET APIs as the process user.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-25856 is an authenticated remote code execution vulnerability in OpenBullet2 affecting versions up to 0.3.2. The vulnerability stems from insufficient input validation and unsafe code execution in the job configuration handler. Specifically, the plain C# execution mode does not implement reference filtering or API restrictions, allowing an authenticated user to inject arbitrary C# code that executes with the privileges of the host process. An attacker can leverage reflection and .NET framework APIs to perform filesystem operations, process creation, and other system-level tasks. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code).

Business impact

Organizations running OpenBullet2 face a significant insider threat if legitimate user accounts are compromised or if administrative trust is misplaced. An attacker with authenticated access can pivot from credential testing or configuration tasks into full server compromise, potentially leading to data exfiltration, malware deployment, or lateral movement within the network. The impact is particularly severe in multi-tenant or shared hosting scenarios where multiple users have administrative roles.

Affected systems

OpenBullet2 versions through 0.3.2 are vulnerable. Determine your current version and cross-reference against the vendor's version history. Installations running versions prior to the fix are at risk.

Exploitability

Exploitation requires valid authentication credentials to the OpenBullet2 application. The attack vector is network-based and does not require user interaction; an authenticated attacker can directly craft malicious job configurations. The low complexity and lack of compensating controls make this straightforward to exploit once credentials are obtained. The vulnerability is not currently tracked on CISA's KEV catalog, though that status may evolve as public awareness increases.

Remediation

Upgrade OpenBullet2 to a patched version beyond 0.3.2. Consult the official OpenBullet2 repository or vendor advisory to confirm the minimum safe version. Additionally, enforce strong authentication practices, limit administrative account distribution, and implement principle of least privilege for application user roles.

Patch guidance

Check the official OpenBullet2 project (verify against the vendor advisory or GitHub releases) for the first version that addresses this vulnerability. Apply the patch to all instances. If you maintain OpenBullet2 in a containerized environment, rebuild and redeploy images with the updated version. Test patches in a staging environment before production rollout.

Detection guidance

Monitor for suspicious job configuration submissions or modifications, particularly those containing C# code snippets or references to dangerous namespaces (System.Diagnostics, System.IO, System.Reflection, System.Net). Log authentication events and correlate them with unusual API activity. Network detection should flag attempts to access the job configuration endpoints with payloads containing executable code patterns. Examine audit logs for configuration changes made by unexpected user accounts.

Why prioritize this

This vulnerability merits rapid remediation because it provides direct, post-authentication code execution with full system access. The CVSS 3.1 score of 8.8 (HIGH) reflects high impact to confidentiality, integrity, and availability. Although authentication is required, credential compromise is common, and the vulnerability becomes critical in environments with weak access controls or high-trust user bases. Organizations should treat this as a priority patch.

Risk score, explained

The CVSS 3.1 base score of 8.8 is driven by HIGH ratings across confidentiality, integrity, and availability impacts. The attack vector is NETWORK, requiring no special network positioning. Attack complexity is LOW, indicating no special conditions are needed beyond valid credentials. Privileges required (LOW) means only authenticated access, which is often easier to obtain than system-level access. No user interaction is required, allowing silent exploitation. The vulnerability affects the integrity and confidentiality of the entire system.

Frequently asked questions

Does this vulnerability affect my OpenBullet2 installation if I restrict job configuration editing to administrators only?

Restricting configuration editing helps reduce exposure, but it does not eliminate risk. Any compromise of an administrative account allows exploitation. The vulnerability remains present in the code until you upgrade, so you must assume all authenticated users with configuration privileges are potential attack paths.

Can I detect active exploitation of this vulnerability?

Yes, focus on job configuration submissions that contain suspicious C# code, references to System namespaces for I/O or process management, or unusual API calls. Monitoring authentication logs combined with configuration endpoint access can reveal attack patterns. However, sophisticated attackers may obfuscate code, so detection should be layered with network monitoring and behavioral analysis.

Is there a workaround if I cannot upgrade immediately?

Workarounds are limited because the vulnerability is embedded in the code execution engine. You can reduce immediate risk by strictly controlling who has authentication credentials, disabling administrative accounts when not in use, and implementing network segmentation to limit lateral movement if a server is compromised. However, these are interim measures only—upgrade as soon as feasible.

What versions of OpenBullet2 are safe to use?

Consult the official OpenBullet2 project repository or vendor advisory to identify the first patched version after 0.3.2. Do not assume that minor version increments are safe without explicit confirmation from the maintainers.

This analysis is provided for informational purposes and reflects the vulnerability details available as of the publication date. Always verify patch version numbers and availability against official vendor advisories before deploying updates. The information herein does not constitute legal or professional security advice; consult your security team and vendor documentation for guidance specific to your environment. No exploit code or step-by-step weaponization details are provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).