CVE-2026-41070

OpenVPN · openvpn-auth-oauth2

The openvpn-auth-oauth2 plugin incorrectly admits clients that do not support WebAuth/SSO when deployed in experimental plugin mode, bypassing required authentication.

Executive summary

An authentication bypass vulnerability in the OpenVPN openvpn-auth-oauth2 plugin allows unauthenticated users to gain unauthorized network access.

Vulnerability

This is an authentication bypass vulnerability occurring when the plugin is used in experimental plugin mode. The software fails to enforce SSO/WebAuth requirements for clients that do not support these protocols, incorrectly admitting them to the VPN.

Business impact

This vulnerability carries a CVSS score of 10.0, indicating a complete bypass of security controls. An attacker can gain unauthorized access to the protected network without providing valid credentials, resulting in total loss of confidentiality and integrity for internal resources. The impact is critical for organizations relying on this plugin for secure remote access.

Remediation

Immediate Action: Update the openvpn-auth-oauth2 plugin to version 1.27.3 immediately.

Proactive Monitoring: Review VPN authentication logs for successful connections from unauthorized or non-compliant client types that should have been rejected.

Compensating Controls: If immediate patching is not possible, disable the experimental plugin mode and revert to the default management-interface mode, which is not susceptible to this specific flaw.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

The severity of this authentication bypass requires immediate attention. Administrators must upgrade the plugin to version 1.27.3 or transition away from the affected experimental plugin mode to prevent unauthorized network infiltration.