Description
Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02.
Published: 2026-05-05
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Tunnelblick’s tunnelblickd Unix socket is world‑accessible and lacks an authorization check, allowing any local user to send read requests to the helper binary. The helper constructs a path to the configuration file config.ovpn within a user‑controlled .tblk directory and reads it as root without verifying symbolic‑link validity. An attacker can place a symlink named config.ovpn that points to an arbitrary system file and ask tunnelblickd to read it, resulting in the disclosure of file contents that are normally protected at the root level. This weakness is a path‑trust violation classified as CWE‑61.

Affected Systems

The vulnerability exists in Tunnelblick versions from 3.3beta26 up to and including 9.0beta01 on macOS. The flaw resides in the tunnelblick-helper binary, invoked through the tunnelblickd socket, and permits reading of any file a root‑owned system may contain. The restored socket mode of 0666 means that any user on the machine can connect without restriction.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate overall severity. Attackers need local access to a device running the affected code and the ability to create a symlinked configuration file; no external network interaction is required. The EPSS score is not available, and the issue is not listed in CISA’s KEV catalog. The impact is confined to confidentiality compromise of arbitrary root‑owned files and does not expose the system to further exploitation beyond reading those files.

Generated by OpenCVE AI on May 5, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tunnelblick to version 9.0beta02 or later, which removes the symlink following flaw.
  • If an immediate update is not possible, change the permissions of the tunnelblickd socket to a non‑world‑accessible mode, for example 0600, so that only trusted users can connect.
  • Monitor .tblk directories for unexpected symlinks that could expose sensitive files and remove or neutralize them as a temporary countermeasure.

Generated by OpenCVE AI on May 5, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02.
Title Tunnelblick arbitrary file read via symlink following in tunnelblickd
Weaknesses CWE-61
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:37:47.926Z

Reserved: 2026-03-09T21:59:02.687Z

Link: CVE-2026-31893

cve-icon Vulnrichment

Updated: 2026-05-05T19:37:42.286Z

cve-icon NVD

Status : Received

Published: 2026-05-05T20:16:35.373

Modified: 2026-05-05T20:16:35.373

Link: CVE-2026-31893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T21:00:10Z

Weaknesses