CVE-2026-39908: Insufficiently Protected Credentials in openbullet openbullet2
OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job starts, the application attempts to load proxies from the UNC path, triggering an SMB authentication attempt that discloses the NTLMv2 hash, which can then be relayed or cracked offline.
AI Analysis
Technical Summary
CVE-2026-39908 describes a credential disclosure vulnerability in OpenBullet2 (up to version 0.3.2) on Windows. The issue arises when a job proxy source is configured with a UNC path referencing an attacker-controlled server. Upon job execution, OpenBullet2 attempts to load proxies from this UNC path, triggering an SMB authentication attempt that leaks the NTLMv2 hash of the process user. This hash disclosure can be exploited by attackers to perform relay attacks or offline cracking. The vulnerability is remotely exploitable without user interaction and requires low attack complexity. No vendor advisory or patch information is currently provided.
Potential Impact
The vulnerability allows remote attackers to obtain the NTLMv2 hash of the user running OpenBullet2, potentially enabling credential relay or offline cracking attacks. This could lead to unauthorized access if the hash is successfully exploited. The CVSS score of 7.1 reflects a high impact due to credential disclosure and the potential for privilege escalation or lateral movement. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid configuring job proxy sources with UNC paths pointing to untrusted or attacker-controlled servers. Restricting network access to trusted hosts and monitoring proxy source configurations may reduce risk.
CVE-2026-39908: Insufficiently Protected Credentials in openbullet openbullet2
Description
OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job starts, the application attempts to load proxies from the UNC path, triggering an SMB authentication attempt that discloses the NTLMv2 hash, which can then be relayed or cracked offline.
CVSS v4.0
Score 7.1high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-39908 describes a credential disclosure vulnerability in OpenBullet2 (up to version 0.3.2) on Windows. The issue arises when a job proxy source is configured with a UNC path referencing an attacker-controlled server. Upon job execution, OpenBullet2 attempts to load proxies from this UNC path, triggering an SMB authentication attempt that leaks the NTLMv2 hash of the process user. This hash disclosure can be exploited by attackers to perform relay attacks or offline cracking. The vulnerability is remotely exploitable without user interaction and requires low attack complexity. No vendor advisory or patch information is currently provided.
Potential Impact
The vulnerability allows remote attackers to obtain the NTLMv2 hash of the user running OpenBullet2, potentially enabling credential relay or offline cracking attacks. This could lead to unauthorized access if the hash is successfully exploited. The CVSS score of 7.1 reflects a high impact due to credential disclosure and the potential for privilege escalation or lateral movement. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid configuring job proxy sources with UNC paths pointing to untrusted or attacker-controlled servers. Restricting network access to trusted hosts and monitoring proxy source configurations may reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-04-07T20:57:06.209Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a26f68ee29bf47b50440d3c
Added to database: 6/8/2026, 5:06:22 PM
Last enriched: 6/8/2026, 5:18:44 PM
Last updated: 6/9/2026, 6:22:37 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.