A critical authentication bypass vulnerability (CVE-2026-41070) has been discovered in the openvpn-auth-oauth2 plugin, allowing unauthenticated VPN clients to gain full network access without completing OIDC authentication.
Scoring a perfect 10.0 on the CVSS v3.1 scale. Security teams running the experimental plugin mode of openvpn-auth-oauth2 must treat this as a high-priority emergency patch.
The openvpn-auth-oauth2 package is an open-source plugin and management interface client for OpenVPN servers, designed to handle OIDC-based Single Sign-On (SSO) authentication flows for enterprise VPN environments.
It supports two deployment modes: the default management interface mode, which communicates authentication decisions through a dedicated management protocol, and the experimental plugin mode, which loads as a shared library directly into the OpenVPN daemon via the plugin directive.
CVE-2026-41070 exclusively affects the experimental plugin mode; the management interface mode remains completely safe and unaffected.
CVE-2026-41070: OpenVPN Plugin Vulnerability
The root cause of CVE-2026-41070 is deceptively simple but devastating in impact. In the file lib/openvpn-auth-oauth2/openvpn/handle.go.
The ClientAuthDeny branch of the handleAuthUserPassVerify function correctly wrote "0" (deny) to the auth_control_file, but then returned OPENVPN_PLUGIN_FUNC_SUCCESS (status code 0) to the OpenVPN daemon.
The critical misunderstanding here involves how the OpenVPN Plugin API works: OpenVPN only reads the auth_control_file when a plugin returns FUNC_DEFERRED, signaling that the authentication decision is pending.
When a plugin returns FUNC_SUCCESS synchronously, OpenVPN treats that as an immediate, unconditional approval, regardless of what was written to the auth control file. This means every denied client was paradoxically being approved at the API level, effectively rendering the OIDC authentication layer completely useless for non-WebAuth clients.
The vulnerable code returned OPENVPN_PLUGIN_FUNC_SUCCESS after writing a denial to the auth file, while the patched version now correctly returns OPENVPN_PLUGIN_FUNC_ERROR to force OpenVPN to reject the connection at the daemon level. The fix was committed in commit 36f69a6 and released in the version 1.27.3.
Published as GHSA-246w-jgmq-88fg and assigned CVE-2026-41070, this vulnerability carries a CVSS:3.1 score of 10.0 Critical with the vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N. The attack requires no authentication, no privileges, no user interaction, and can be executed entirely over the network, placing it in the most dangerous threat category possible.
Any VPN client that does not advertise WebAuth/SSO support via the IV_SSO=webauth parameter values, including the standard OpenVPN CLI on Linux, can exploit this flaw to connect to affected servers.
Once connected, the attacker gains full access to the internal network behind the VPN, enabling lateral movement, data exfiltration, and potential compromise of internal infrastructure. The scope is marked as “Changed,” meaning the impact extends beyond the vulnerable component itself to downstream network resources.
The affected versions range from 1.26.3 to 1.27.2. Organizations running any version in this range in plugin mode are fully exposed. The vulnerability was responsibly reported by security researcher kkalev and is classified under CWE-287: Improper Authentication.
The vulnerability is scoped exclusively to organizations that have deployed openvpn-auth-oauth2 in experimental plugin mode using the plugin directive in their OpenVPN server configuration. Deployments using the default management interface client mode, which is the recommended and most widely deployed configuration, are not vulnerable.
However, some enterprise environments or custom deployments may have opted for plugin mode due to integration requirements, and these organizations must audit their configurations immediately.
Patch and Mitigation
The official fix is available in version 1.27.3, released by maintainer jkroepke via PR #829. All organizations should take the following steps without delay:
- Please upgrade immediately to openvpn-auth-oauth2 v1.27.3 if you are running any version between 1.26.3 and 1.27.2 in plugin mode.
- Audit your deployment mode, check your OpenVPN server config for the
plugindirective; if absent, you are using management interface mode and are not affected. - Switch to management interface mode as a workaround if an immediate upgrade is not feasible; this is the default, recommended mode, and is fully immune to this vulnerability.
- Avoid relying on network-level restrictions (e.g., allowlisting only OpenVPN Connect 3+ clients) as a primary mitigation, as these controls are difficult to enforce reliably and do not address the underlying flaw.
- Review VPN access logs for any unusual connections from clients lacking
IV_SSO=webauthsupport, particularly during the window when vulnerable versions were in use.
FAQ
Q1: Does CVE-2026-41070 affect standard OpenVPN installations without the openvpn-auth-oauth2 plugin?
No, the vulnerability is isolated entirely to deployments of the openvpn-auth-oauth2 package running in experimental plugin mode; standard OpenVPN setups are unaffected.
Q2: Can the management interface mode be exploited using the same technique?
No, in management interface mode, authentication decisions flow through the management protocol, not the plugin return-code mechanism, making this bypass impossible.
Q3: What CVSS score does CVE-2026-41070 carry, and why is it rated so high?
It carries a perfect CVSS v3.1 score of 10.0 because it requires no privileges, no user interaction, is network-exploitable, and grants full confidentiality and integrity access to protected internal networks.
Q4: Is there a public exploit available for CVE-2026-41070?
No confirmed public exploit code has been disclosed at the time of publication; however, the simplicity of the attack vector, which can be used with any standard OpenVPN CLI client, makes exploitation trivial for any technically capable attacker.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
