CVE-2026-41070
Incorrect VPN Access in openvpn-auth-oauth2 Plugin Mode
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openvpn-auth-oauth2 | 1.26.3 | to 1.27.3 (exc) |
| openvpn-auth-oauth2 | 1.27.3 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in openvpn-auth-oauth2 versions from 1.26.3 up to but not including 1.27.3 when used in experimental plugin mode. In this mode, clients that do not support WebAuth/SSO, such as the openvpn CLI on Linux, are incorrectly allowed to connect to the VPN even though the authentication logic should deny them. This happens because the plugin's return-code mechanism is not properly enforced in this mode. The default management-interface mode is not affected.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized clients that do not support the intended WebAuth/SSO authentication to gain access to the VPN. This means that users who should be denied access might be admitted, potentially exposing the internal network to unauthorized access and increasing the risk of data breaches or other security incidents.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade openvpn-auth-oauth2 to version 1.27.3 or later where the issue has been patched.
Avoid using the experimental plugin mode (shared library loaded by OpenVPN via the plugin directive) with versions between 1.26.3 and before 1.27.3, as this mode is affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized clients to bypass authentication and gain access to the VPN, which can lead to unauthorized access to sensitive data.
Such unauthorized access can compromise confidentiality and integrity of data, potentially violating compliance requirements under standards like GDPR and HIPAA that mandate strict access controls and protection of personal and health information.
Because the vulnerability results in a critical authentication bypass with a CVSS score of 10.0, it poses a significant risk to maintaining compliance with these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when the openvpn-auth-oauth2 plugin is used in experimental plugin mode (shared library loaded by OpenVPN) and incorrectly allows clients that do not support WebAuth/SSO to connect. Detection involves verifying if your OpenVPN server is running openvpn-auth-oauth2 versions from 1.26.3 up to before 1.27.3 in experimental plugin mode.
To detect exploitation attempts or presence of unauthorized clients, you can monitor OpenVPN server logs for connections from clients that do not support WebAuth/SSO, such as the openvpn CLI on Linux, which should normally be denied.
There are no specific commands provided in the available resources to detect this vulnerability directly. However, general steps include:
- Check the version of openvpn-auth-oauth2 plugin in use to confirm if it is within the vulnerable range (1.26.3 to before 1.27.3).
- Inspect OpenVPN server configuration to see if the plugin is loaded in experimental plugin mode via the plugin directive.
- Review OpenVPN logs for unexpected successful authentications from clients known not to support WebAuth/SSO (e.g., openvpn CLI on Linux).
- Use network monitoring tools to identify VPN connections from unauthorized clients.
Upgrading the plugin to version 1.27.3 or later is the recommended mitigation.