CVE-2026-9560
Privilege Escalation in OpenVPN Connect macOS via IPC Channel
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: OpenVPN Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openvpn | connect | From 3.5.1 (inc) to 3.8.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-648 | The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly. |
| CWE-270 | The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control. |
| CWE-267 | A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a privilege escalation issue in the background service of OpenVPN Connect versions 3.5.1 through 3.8.1 on macOS. It allows attackers to execute arbitrary commands with elevated privileges by exploiting a local inter-process communication (IPC) channel.
How can this vulnerability impact me? :
An attacker who successfully exploits this vulnerability can run arbitrary commands with elevated privileges on the affected macOS system. This could lead to unauthorized access, modification, or control over system resources and data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update OpenVPN Connect on macOS to version 3.8.2 (6009) or later, which includes a fix for the privilege escalation issue in the privileged helper component.