EXECUTIVE SUMMARY:
CVE-2026-41070 with a CVSS score of 10.0 is a Critical vulnerability in go/github.com/jkroepke/openvpn-auth-oauth2, affecting versions 1.26.3 through 1.27.2 when deployed in the experimental plugin mode. This vulnerability allows an unauthenticated attacker to connect to the OpenVPN server using any standard OpenVPN client that does not support webauth by exploiting incorrect authentication handling. Specifically, when a client is denied access through the plugin return-code mechanism, the server incorrectly returns OPENVPN_PLUGIN_FUNC_SUCCESS, causing OpenVPN to interpret the status as "authentication passed" and grant full network access. An attacker can exploit this vulnerability by connecting to the OpenVPN server using an unauthenticated client that does not advertise WebAuth/SSO support, resulting in the capability to gain full network access to the internal network behind the VPN. This vulnerability has significant business impact and consequences if exploited, as it allows unauthenticated access to sensitive network resources, compromising the confidentiality, integrity, and availability of the network. This exploit requires access to the OpenVPN server and the ability to connect using an unauthenticated client that does not support webauth.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-41070 with a CVSS score of 10.0 is a Critical vulnerability in go/github.com/jkroepke/openvpn-auth-oauth2, affecting versions 1.26.3 through 1.27.2 when deployed in the experimental plugin mode. This vulnerability allows an unauthenticated attacker to connect to the OpenVPN server using any standard OpenVPN client that does not support webauth by exploiting incorrect authentication handling. Specifically, when a client is denied access through the plugin return-code mechanism, the server incorrectly returns OPENVPN_PLUGIN_FUNC_SUCCESS, causing OpenVPN to interpret the status as "authentication passed" and grant full network access. An attacker can exploit this vulnerability by connecting to the OpenVPN server using an unauthenticated client that does not advertise WebAuth/SSO support, resulting in the capability to gain full network access to the internal network behind the VPN. This vulnerability has significant business impact and consequences if exploited, as it allows unauthenticated access to sensitive network resources, compromising the confidentiality, integrity, and availability of the network. This exploit requires access to the OpenVPN server and the ability to connect using an unauthenticated client that does not support webauth.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-246w-jgmq-88fg