CVE-2026-41070
published 2026-05-08CVE-2026-41070: openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to…
PriorityP266critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
0.44%
35.0th percentile
openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-auth-oauth2 is deployed in the experimental plugin mode (shared library loaded by OpenVPN via the plugin directive), clients that do not support WebAuth/SSO (e.g., the openvpn CLI on Linux) are incorrectly admitted to the VPN despite being denied by the authentication logic. The default management-interface mode is not affected because it does not use the OpenVPN plugin return-code mechanism. This issue has been patched in version 1.27.3.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | jkroepke_openvpn-auth-oauth2 | >= 1.26.3 < 1.27.3 | 1.27.3 |
| jkroepke | openvpn-auth-oauth2 | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
jkroepke openvpn-auth-oauth2 up to 1.27.2 improper authentication (GHSA-246w-jgmq-88fg)
vuldb·2026-05-08·CVSS 10.0
CVE-2026-41070 [CRITICAL] jkroepke openvpn-auth-oauth2 up to 1.27.2 improper authentication (GHSA-246w-jgmq-88fg)
A vulnerability was found in jkroepke openvpn-auth-oauth2 up to 1.27.2 and classified as critical. This vulnerability affects unknown code. The manipulation results in improper authentication.
This vulnerability is known as CVE-2026-41070. It is possible to launch the attack remotely. No exploit is available.
It is suggested to upgrade the affected component.
GHSA
openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access
ghsa·2026-04-22
CVE-2026-41070 [CRITICAL] CWE-287 openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access
openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access
# Summary
When `openvpn-auth-oauth2` is deployed in the **experimental plugin mode** (shared library loaded by OpenVPN via the `plugin` directive), clients that do not support WebAuth/SSO (e.g., the `openvpn` CLI on Linux) are incorrectly admitted to the VPN despite being denied by the authentication logic. **The default management-interface mode is not affected** because it does not use the OpenVPN plugin return-code mechanism.
# Impact
**Authentication bypass — any VPN client that does not advertise WebAuth/SSO support (`IV_SSO=webauth`) is granted full network access without completing OIDC authentication.**
This affects only deployments running the **experimental plugin mode** in versions
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-08
Published