CVE-2026-41070: CWE-287: Improper Authentication in jkroepke openvpn-auth-oauth2
openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-auth-oauth2 is deployed in the experimental plugin mode (shared library loaded by OpenVPN via the plugin directive), clients that do not support WebAuth/SSO (e.g., the openvpn CLI on Linux) are incorrectly admitted to the VPN despite being denied by the authentication logic. The default management-interface mode is not affected because it does not use the OpenVPN plugin return-code mechanism. This issue has been patched in version 1.27.3.
AI Analysis
Technical Summary
The openvpn-auth-oauth2 plugin for OpenVPN server, which handles OIDC-based single sign-on authentication, contains an improper authentication flaw (CWE-287) in versions from 1.26.3 to before 1.27.3. Specifically, when used in experimental plugin mode, clients lacking WebAuth/SSO support are erroneously admitted to the VPN, bypassing authentication controls. The default management-interface mode is unaffected because it does not rely on the OpenVPN plugin return-code mechanism. The vulnerability has a CVSS 3.1 base score of 10.0, indicating critical severity. The issue was resolved in version 1.27.3.
Potential Impact
Successful exploitation allows unauthenticated clients that do not support WebAuth/SSO to bypass authentication and gain unauthorized VPN access. This compromises confidentiality and integrity of the VPN environment, potentially allowing attackers to access internal network resources without valid credentials. Availability is not impacted. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade openvpn-auth-oauth2 to version 1.27.3 or later, where this authentication bypass vulnerability is fixed. If upgrading immediately is not possible, avoid using the experimental plugin mode that triggers this issue. The default management-interface mode is not affected by this vulnerability. Patch status is not explicitly stated but the vendor fixed the issue in version 1.27.3, so applying this official fix is the recommended remediation.
CVE-2026-41070: CWE-287: Improper Authentication in jkroepke openvpn-auth-oauth2
Description
openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-auth-oauth2 is deployed in the experimental plugin mode (shared library loaded by OpenVPN via the plugin directive), clients that do not support WebAuth/SSO (e.g., the openvpn CLI on Linux) are incorrectly admitted to the VPN despite being denied by the authentication logic. The default management-interface mode is not affected because it does not use the OpenVPN plugin return-code mechanism. This issue has been patched in version 1.27.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The openvpn-auth-oauth2 plugin for OpenVPN server, which handles OIDC-based single sign-on authentication, contains an improper authentication flaw (CWE-287) in versions from 1.26.3 to before 1.27.3. Specifically, when used in experimental plugin mode, clients lacking WebAuth/SSO support are erroneously admitted to the VPN, bypassing authentication controls. The default management-interface mode is unaffected because it does not rely on the OpenVPN plugin return-code mechanism. The vulnerability has a CVSS 3.1 base score of 10.0, indicating critical severity. The issue was resolved in version 1.27.3.
Potential Impact
Successful exploitation allows unauthenticated clients that do not support WebAuth/SSO to bypass authentication and gain unauthorized VPN access. This compromises confidentiality and integrity of the VPN environment, potentially allowing attackers to access internal network resources without valid credentials. Availability is not impacted. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade openvpn-auth-oauth2 to version 1.27.3 or later, where this authentication bypass vulnerability is fixed. If upgrading immediately is not possible, avoid using the experimental plugin mode that triggers this issue. The default management-interface mode is not affected by this vulnerability. Patch status is not explicitly stated but the vendor fixed the issue in version 1.27.3, so applying this official fix is the recommended remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-16T16:43:03.174Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fe067ecbff5d8610f6728a
Added to database: 5/8/2026, 3:51:26 PM
Last enriched: 5/8/2026, 4:07:19 PM
Last updated: 5/8/2026, 9:56:35 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.