Kkalev

**Name of the Vulnerable Software and Affected Versions** openvpn-auth-oauth2 versions 1.26.3 through 1.27.2 **Description** An authentication bypass exists when the software is deployed in experimental plugin mode. Clients that do not support WebAuth/SSO are incorrectly granted full network access without completing OIDC authentication. This occurs because the `handleAuthUserPassVerify` function in `lib/openvpn-auth-oauth2/openvpn/handle.go` returns `OPENVPN PLUGIN FUNC SUCCESS` even when a client is denied. OpenVPN interprets this return code as successful authentication, ignoring the deny command written to the `auth control file` unless the plugin returns `FUNC DEFERRED`. **Recommendations** Update openvpn-auth-oauth2 to version 1.27.3. Switch to standalone management client mode. Restrict VPN access at the network level to only clients known to support WebAuth/SSO.