CVE-2026-41070
CriticalSummary
The openvpn-auth-oauth2 plugin for OpenVPN server has a vulnerability that allows clients not supporting WebAuth/SSO to access the VPN despite being denied by the authentication logic. The issue exists in versions from 1.26.3 to before 1.27.3 when the plugin is deployed in experimental mode.
Risk Assessment
Organizations may be exposed to unauthorized access to the VPN, potentially leading to data breaches or other security incidents. Clients that should not have access may gain unauthorized privileges.
Recommendation
It is recommended to update the openvpn-auth-oauth2 plugin to version 1.27.3 or newer to mitigate this vulnerability. Additionally, consider disabling experimental mode if possible.
Original NVD description (English source)
openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-auth-oauth2 is deployed in the experimental plugin mode (shared library loaded by OpenVPN via the plugin directive), clients that do not support WebAuth/SSO (e.g., the openvpn CLI on Linux) are incorrectly admitted to the VPN despite being denied by the authentication logic. The default management-interface mode is not affected because it does not use the OpenVPN plugin return-code mechanism. This issue has been patched in version 1.27.3.

