OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job starts, the application attempts to load proxies from the UNC path, triggering an SMB authentication attempt that discloses the NTLMv2 hash, which can then be relayed or cracked offline.
PUBLISHED5.2CWE-522x_open-source
OpenBullet2 0.3.2 NTLMv2 Hash Disclosure via UNC Path Proxy Source
Problem type
Affected products
openbullet
openbullet2
<= 0.3.2 - AFFECTED
References
hackernoon.com
https://hackernoon.com/one-empty-header-to-admin-how-an-auth-bypass-breaks-openbullet2
vulncheck.com
https://www.vulncheck.com/advisories/openbullet2-ntlmv2-hash-disclosure-via-unc-path-proxy-source
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-39908Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-39908",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2026-06-08T18:06:43.929Z",
"dateReserved": "2026-04-07T20:57:06.209Z",
"datePublished": "2026-06-08T16:47:18.702Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2026-06-08T16:51:05.991Z"
},
"datePublic": "2026-06-05T00:00:00.000Z",
"title": "OpenBullet2 0.3.2 NTLMv2 Hash Disclosure via UNC Path Proxy Source",
"descriptions": [
{
"lang": "en",
"value": "OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job starts, the application attempts to load proxies from the UNC path, triggering an SMB authentication attempt that discloses the NTLMv2 hash, which can then be relayed or cracked offline."
}
],
"affected": [
{
"vendor": "openbullet",
"product": "openbullet2",
"repo": "https://github.com/openbullet/openbullet2",
"defaultStatus": "affected",
"versions": [
{
"version": "0",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "0.3.2"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Insufficiently Protected Credentials",
"cweId": "CWE-522",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://hackernoon.com/one-empty-header-to-admin-how-an-auth-bypass-breaks-openbullet2",
"tags": [
"technical-description",
"exploit"
]
},
{
"url": "https://www.vulncheck.com/advisories/openbullet2-ntlmv2-hash-disclosure-via-unc-path-proxy-source",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
],
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM"
}
}
],
"credits": [
{
"lang": "en",
"value": "Maksim Rogov",
"type": "finder"
},
{
"lang": "en",
"value": "VulnCheck",
"type": "finder"
}
],
"tags": [
"x_open-source"
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-06-08T18:06:43.929Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}