Description
openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-auth-oauth2 is deployed in the experimental plugin mode (shared library loaded by OpenVPN via the plugin directive), clients that do not support WebAuth/SSO (e.g., the openvpn CLI on Linux) are incorrectly admitted to the VPN despite being denied by the authentication logic. The default management-interface mode is not affected because it does not use the OpenVPN plugin return-code mechanism. This issue has been patched in version 1.27.3.
Published: 2026-05-08
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

openvpn-auth-oauth2 is a plugin that mediates OAuth2 authentication for OpenVPN servers. Between versions 1.26.3 and just before 1.27.3, when the plugin is used in experimental mode, clients that do not support WebAuth/SSO are mistakenly granted access after the authentication logic otherwise denies them. The plugin returns a success code even though the authentication should fail, providing unauthenticated VPN entry. This flaw is represented by CWE‑287 and enables an attacker to obtain VPN connectivity without valid credentials.

Affected Systems

The flaw affects the jkroepke openvpn‑auth‑oauth2 product, specifically any deployment of versions 1.26.3 through 1.27.2 that employs the experimental plugin mode. The default management‑interface mode is not impacted, as it does not invoke the plugin’s return‑code mechanism. Other OpenVPN versions or configurations that do not use the experimental plugin mode remain unaffected.

Risk and Exploitability

The CVSS score of 10 indicates a critical risk. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog. It can be exploited from any network where an OpenVPN server loads the experimental plugin; an unauthenticated client can initiate a VPN session and receive network access, potentially enabling lateral movement. The attack requires no prior compromise or privileged access and can be performed over an open connection, making it highly dangerous for exposed VPN services.

Generated by OpenCVE AI on May 8, 2026 at 17:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade openvpn‑auth‑oauth2 to version 1.27.3 or later to eliminate the incorrect success return.
  • If upgrade is not feasible, disable experimental plugin mode and use the server’s default management‑interface mode, which does not expose the flaw.
  • Configure the OpenVPN server to reject or drop connections from clients that lack WebAuth/SSO support before they reach the authentication plugin, thereby preventing unauthenticated access.

Generated by OpenCVE AI on May 8, 2026 at 17:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-246w-jgmq-88fg openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access
History

Fri, 08 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-auth-oauth2 is deployed in the experimental plugin mode (shared library loaded by OpenVPN via the plugin directive), clients that do not support WebAuth/SSO (e.g., the openvpn CLI on Linux) are incorrectly admitted to the VPN despite being denied by the authentication logic. The default management-interface mode is not affected because it does not use the OpenVPN plugin return-code mechanism. This issue has been patched in version 1.27.3.
Title openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T16:05:34.531Z

Reserved: 2026-04-16T16:43:03.174Z

Link: CVE-2026-41070

cve-icon Vulnrichment

Updated: 2026-05-08T16:05:31.055Z

cve-icon NVD

Status : Received

Published: 2026-05-08T16:16:11.030

Modified: 2026-05-08T16:16:11.030

Link: CVE-2026-41070

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T18:00:16Z

Weaknesses