← Back
CVE-2026-41070
critical
CVSS 10.0
Authentication Bypass in openvpn (CVE-2026-41070)
Summary
authentication bypass in openvpn (CVE-2026-41070). Confidential information can be exposed externally. Exploitable via ``plugin``.
AI summary openai / gpt-4o
Companies using OpenVPN plugins may face authentication issues, allowing unauthorized access in certain versions (1.26.3 to 1.27.2). If this plugin is in use, update immediately to version 1.27.3 or switch to a non-plugin mode. Past incidents with similar issues have caused significant harm, necessitating prompt action.
This vulnerability occurs in the OpenVPN plugin, openvpn-auth-oauth2, in versions 1.26.3 to 1.27.2 when used in an experimental plugin mode. The issue arises when clients not supporting OIDC SSO (such as the Linux OpenVPN CLI) are mistakenly granted VPN access due to a bug where the plugin returns FUNC_SUCCESS instead of properly denying authentication. This allows unauthorized access. The fix is implemented in version 1.27.3, and switching to a management interface mode that does not use the plugin is a recommended workaround.
❓ What is the problem
openvpn-auth-oauth2 plugin for OpenVPN incorrectly grants access to unauthenticated clients in experimental plugin mode.
📍 Affected scope
In openvpn-auth-oauth2 versions 1.26.3 to 1.27.2, particularly in experimental plugin mode configurations.
🔥 Severity
Critical vulnerability allowing unauthorized VPN access due to incorrect authentication responses.
🔧 How to fix
Upgrade to openvpn-auth-oauth2 version 1.27.3.
🛡️ Workaround
Switch to the management interface mode, which does not use the plugin, or restrict VPN access to clients supporting WebAuth/SSO.
🔍 Detection
Identify any OpenVPN servers using openvpn-auth-oauth2 in experimental plugin mode with affected versions, and assess logs for unauthorized VPN connections.
Related past incidents Similar incidents extracted from past CVEs
OpenVPN user bypass due to flawed authentication logic, leading to unauthorized access.
A serious OpenSSL vulnerability which enabled attackers to steal information from the server's memory.
Remote code execution vulnerability in Log4j allowing attackers to gain full server access, highlighting severe misconfiguration risks.
If this happens at your company Expected impact per business scenario
📌 In a corporate VPN network
Unauthorized users could gain access to internal resources, leading to data breaches or exposure of sensitive information.
📌 Within a remote development environment
Developers may unknowingly connect to unsecured environments, risking project integrity and intellectual property loss.
📌 For a financial service company
Unsecured access could lead to unauthorized financial transactions, causing significant financial and reputational damage.
Recommended action
Immediately update the openvpn-auth-oauth2 plugin to version 1.27.3 or higher and audit current plugin modes to switch any affected setups to management interface mode.
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
grep -r 'openvpn' . | grep -v node_modulesリポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `openvpn` を grep し、稼働しているサービス・バージョンを把握する。
-
2Match against affected range verify
Confirm if version satisfies `>= 1.26.3`Step 1 で見つかったバージョンが影響範囲 `>= 1.26.3` に該当するか照合。本番で稼働中ならインシデント扱い。
-
7Post-deployment verification verify
Confirm patched version is live in productionパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。
References
- web [email protected]
- web [email protected]