CVE-2026-31893
Analyzed Analyzed - Analysis Complete
Tunnelblick Symlink Following Local Privilege Escalation

Publication date: 2026-05-05

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31893
EUVD
EUVD-2026-27434
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
tunnelblick tunnelblick From 3.5.3 (inc) to 8.0.1 (exc)
tunnelblick tunnelblick 8.1
tunnelblick tunnelblick 8.1
tunnelblick tunnelblick 8.1
tunnelblick tunnelblick 9.0
tunnelblick tunnelblick 3.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows any local user to read arbitrary root-owned files without authorization by exploiting a symlink following flaw in Tunnelblick. This unauthorized access to sensitive system files could lead to exposure of confidential or personal data.

Such unauthorized data access may violate compliance requirements under standards like GDPR and HIPAA, which mandate strict controls on access to sensitive and personal information to protect privacy and ensure data security.

Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to improper access controls and potential data breaches.

Executive Summary

CVE-2026-31893 is a vulnerability in Tunnelblick, an open source GUI for OpenVPN on macOS. It allows any local user to read arbitrary root-owned files without authorization by exploiting a symlink following flaw in the tunnelblick-helper component.

The vulnerability arises because the tunnelblickd Unix socket is world-accessible with mode 0666, allowing any local user to connect without authorization checks. The tunnelblick-helper process reads a config.ovpn file inside a user-controlled .tblk directory as root, but it does not validate symlinks.

An attacker can create a malicious .tblk directory containing a symlinked config.ovpn file that points to any root-owned file. When tunnelblickd reads this file, it follows the symlink and reads the target file as root, bypassing normal file permissions.

This issue affects versions 3.3beta26 through 9.0beta01 and was fixed in version 9.0beta02.

Impact Analysis

This vulnerability allows any local user on a macOS system running vulnerable versions of Tunnelblick to read arbitrary files owned by root without needing authentication.

An attacker could exploit this to access sensitive system files, configuration files, or credentials that are normally protected, potentially leading to information disclosure.

Since the attack does not require user interaction and leverages a world-accessible socket, it can be performed stealthily by any local user.

Detection Guidance

This vulnerability can be detected by checking for the presence of the tunnelblickd Unix socket with world-accessible permissions (mode 0666) and verifying the Tunnelblick version installed on the system.

  • Use the command `ls -l /path/to/tunnelblickd/socket` to check the socket permissions and confirm if it is set to 0666.
  • Check the installed Tunnelblick version with `Tunnelblick --version` or by inspecting the application info to determine if it is between versions 3.3beta26 and 9.0beta01, which are vulnerable.
  • Look for suspicious .tblk directories created by local users that contain symlinked config.ovpn files pointing to sensitive root-owned files.
Mitigation Strategies

The immediate mitigation step is to update Tunnelblick to a patched version that addresses this vulnerability.

  • Upgrade to Tunnelblick version 9.0beta02 or later, or version 8.0.1 or later, which include fixes for CVE-2026-31893.
  • Verify the integrity of the update by checking the provided hashes (MD5, SHA1, SHA256) for the disk image before installation.
  • Restrict permissions on the tunnelblickd Unix socket to prevent unauthorized local users from connecting.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31893. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart