Home / Vulnerability Intelligence / CVE-2026-41070

CVE-2026-41070 - Vulnerability Analysis

CriticalCVSS: 10.0

Last Updated: May 8, 2026

openvpn-auth-oauth2 - Authentication Bypass

Published: May 8, 2026Updated: May 8, 2026Remote Exploitable

Overview

openvpn-auth-oauth2 1.26.3 to < 1.27.3 contains an authentication bypass caused by incorrect admission of clients not supporting WebAuth/SSO in experimental plugin mode, letting unauthenticated clients access VPN, exploit requires use of experimental plugin mode.

Severity & Score

Severity: Critical

CVSS Score: 10.0

Impact

Unauthenticated clients can access the VPN, bypassing authentication controls and potentially gaining unauthorized network access.

Mitigation

Upgrade to version 1.27.3 or later.

References

https://github.com/jkroepke/openvpn-auth-oauth2/commit/36f69a6c67c1054da7cbfa04ced3f0555127c8f2
https://github.com/jkroepke/openvpn-auth-oauth2/security/advisories/GHSA-246w-jgmq-88fg

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-41070
Severity: Critical
CVSS Score: 10.0
Type: broken_authentication
Status: new

CWE

CWE-287

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N