CVE-2026-41070
OpenVPN · openvpn-auth-oauth2
The openvpn-auth-oauth2 plugin incorrectly admits clients that do not support WebAuth/SSO when deployed in experimental plugin mode, bypassing required authentication.
Executive summary
An authentication bypass vulnerability in the OpenVPN openvpn-auth-oauth2 plugin allows unauthenticated users to gain unauthorized network access.
Vulnerability
This is an authentication bypass vulnerability occurring when the plugin is used in experimental plugin mode. The software fails to enforce SSO/WebAuth requirements for clients that do not support these protocols, incorrectly admitting them to the VPN.
Business impact
This vulnerability carries a CVSS score of 10.0, indicating a complete bypass of security controls. An attacker can gain unauthorized access to the protected network without providing valid credentials, resulting in total loss of confidentiality and integrity for internal resources. The impact is critical for organizations relying on this plugin for secure remote access.
Remediation
Immediate Action: Update the openvpn-auth-oauth2 plugin to version 1.27.3 immediately.
Proactive Monitoring: Review VPN authentication logs for successful connections from unauthorized or non-compliant client types that should have been rejected.
Compensating Controls: If immediate patching is not possible, disable the experimental plugin mode and revert to the default management-interface mode, which is not susceptible to this specific flaw.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
The severity of this authentication bypass requires immediate attention. Administrators must upgrade the plugin to version 1.27.3 or transition away from the affected experimental plugin mode to prevent unauthorized network infiltration.