CVE-2026-41070 Overview
CVE-2026-41070 is an authentication bypass vulnerability in openvpn-auth-oauth2, a plugin and management interface client that adds OpenID Connect (OIDC) single sign-on (SSO) support to OpenVPN servers. The flaw affects versions 1.26.3 through versions before 1.27.3 when the software runs in experimental plugin mode, loaded by OpenVPN through the plugin directive. Clients that do not support WebAuth or SSO, such as the openvpn command-line interface (CLI) on Linux, are granted VPN access despite the authentication logic denying them. The default management-interface mode is not affected. The issue is tracked under [CWE-287] (Improper Authentication) and was patched in version 1.27.3.
Critical Impact
Unauthenticated network attackers can bypass OIDC SSO enforcement and obtain VPN access using a standard OpenVPN CLI client.
Affected Products
- openvpn-auth-oauth2 version 1.26.3 and later, before 1.27.3
- Deployments using the experimental OpenVPN plugin mode (plugin directive)
- OpenVPN servers relying on openvpn-auth-oauth2 for OIDC SSO enforcement
Discovery Timeline
- 2026-05-08 - CVE-2026-41070 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-41070
Vulnerability Analysis
The vulnerability is an authentication bypass in the plugin-mode integration between openvpn-auth-oauth2 and OpenVPN. When loaded as a shared library through OpenVPN's plugin directive, the component must communicate authentication results back to OpenVPN using the plugin return-code mechanism. The plugin path mishandles return codes for clients that cannot complete the WebAuth or SSO challenge. Instead of producing a deny outcome, the flow returns a value that OpenVPN interprets as successful authentication. Attackers using a standard openvpn CLI on Linux, which has no OIDC capability, are admitted to the tunnel.
Root Cause
The root cause is incorrect handling of the OpenVPN plugin return code when a client cannot satisfy the OIDC flow. The plugin should signal OPENVPN_PLUGIN_FUNC_ERROR to deny non-SSO clients, but the affected versions return a success status. The default management-interface mode does not use the plugin return-code mechanism and therefore is not vulnerable. The fix in 1.27.3 corrects the return-code logic so denied clients are rejected at the OpenVPN layer.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker connects to an OpenVPN server protected by openvpn-auth-oauth2 in plugin mode using a non-SSO client such as the Linux openvpn CLI. With valid client certificate material configured by the server policy but no OIDC token, the server accepts the connection and establishes the tunnel. The attacker gains access to internal resources that the VPN protects.
No verified exploitation code is publicly available. See the GitHub Security Advisory GHSA-246w-jgmq-88fg and the GitHub Commit Update for the technical fix.
Detection Methods for CVE-2026-41070
Indicators of Compromise
- VPN session establishment events for users who never completed an OIDC SSO authorization flow in the identity provider logs.
- OpenVPN server logs showing successful client-connect events from clients identifying as openvpn CLI on Linux when SSO is required.
- Mismatch between openvpn-auth-oauth2 deny decisions and OpenVPN session acceptance in correlated logs.
Detection Strategies
- Correlate identity provider (IdP) authorization logs with OpenVPN session logs to flag tunnels created without a matching OIDC token issuance.
- Audit openvpn-auth-oauth2 runtime logs for denied authentication decisions that did not terminate the associated OpenVPN session.
- Inventory all OpenVPN servers and identify those configured with the plugin directive pointing at openvpn-auth-oauth2 versions between 1.26.3 and 1.27.2.
Monitoring Recommendations
- Alert on VPN logins from client user agents or platforms known to lack WebAuth or SSO support.
- Monitor for new VPN sessions originating from unexpected source networks or geographies during the exposure window.
- Track post-connection lateral movement attempts from VPN IP pools to detect abuse of bypassed sessions.
How to Mitigate CVE-2026-41070
Immediate Actions Required
- Upgrade openvpn-auth-oauth2 to version 1.27.3 or later on all OpenVPN servers using plugin mode.
- Inventory OpenVPN configurations for the plugin directive referencing openvpn-auth-oauth2 and prioritize patching those hosts.
- Revoke active VPN sessions established during the vulnerable window and force reauthentication through the IdP.
Patch Information
The maintainer released openvpn-auth-oauth2 version 1.27.3 with the fix applied in commit 36f69a6c67c1054da7cbfa04ced3f0555127c8f2. Refer to the GitHub Security Advisory GHSA-246w-jgmq-88fg for advisory details and to the upstream patch commit for the code change.
Workarounds
- Switch from the experimental plugin mode to the default management-interface mode, which is not affected by this vulnerability.
- Remove the plugin directive that loads openvpn-auth-oauth2 until the upgrade to 1.27.3 is complete.
- Restrict client certificate issuance and apply network-layer access controls to limit who can reach the OpenVPN listener while remediation is in progress.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
