CVE-2026-41070

Name of the Vulnerable Software and Affected Versions openvpn-auth-oauth2 versions 1.26.3 through 1.27.2

Description An authentication bypass exists when the software is deployed in experimental plugin mode. Clients that do not support WebAuth/SSO are incorrectly granted full network access without completing OIDC authentication. This occurs because the handleAuthUserPassVerify function in lib/openvpn-auth-oauth2/openvpn/handle.go returns OPENVPN PLUGIN FUNC SUCCESS even when a client is denied. OpenVPN interprets this return code as successful authentication, ignoring the deny command written to the auth control file unless the plugin returns FUNC DEFERRED.

Recommendations Update openvpn-auth-oauth2 to version 1.27.3. Switch to standalone management client mode. Restrict VPN access at the network level to only clients known to support WebAuth/SSO.