CRITICAL🇵🇱 Wersja polska

CVE-2026-41070

CVSS 10.0v3.1pub. 2026-05-08upd. 2026-05-13

openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-auth-oauth2 is deployed in the experimental plugin mode (shared library loaded by OpenVPN via the plugin directive), clients that do not support WebAuth/SSO (e.g., the openvpn CLI on Linux) are incorrectly admitted to the VPN despite being denied by the authentication logic. The default management-interface mode is not affected because it does not use the OpenVPN plugin return-code mechanism. This issue has been patched in version 1.27.3.

🤖 AI Analysis
How it works

The problem concerns the mode of operation as a shared library loaded by OpenVPN using the plugin directive. In this mode, the plugin relies on the OpenVPN plugin return-code mechanism. Clients that do not support WebAuth/SSO (e.g., openvpn CLI on Linux) do not properly go through the OIDC authentication flow, and an error in handling the return code causes them to be incorrectly accepted instead of rejected. The default mode of operation via the management interface (management-interface mode) is not vulnerable because it does not use this mechanism.

Impact

An unauthorized client can gain full access to the VPN network without passing the required SSO/OIDC authentication, which may lead to violation of confidentiality and integrity of network resources protected by the VPN.

Mitigation & patch

Update openvpn-auth-oauth2 to version 1.27.3 or later, where the issue has been resolved. As a temporary workaround, you can abandon plugin mode and use the default management-interface mode, which is not vulnerable to this flaw.

Who is affected

openvpn-auth-oauth2 in versions from 1.26.3 to 1.27.2 (inclusive), only when the plugin is running in experimental plugin mode (shared library) — management-interface mode is not vulnerable

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
VPNAuth Bypass
CWE
References