Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
10.0
OpenVPN with OAuth2 plugin allows unauthorized access
DEBIAN-CVE-2026-41070
Summary
OpenVPN servers with an OAuth2 plugin in experimental mode may let unauthorized users connect. This happens when they use a client that doesn't support single sign-on. The fix is included in version 1.27.3, so update to that or later version to prevent unauthorized access.
What to do
- Update debian openvpn-auth-oauth2 to version 1.27.3-1.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:14 | debian | openvpn-auth-oauth2 |
< 1.27.3-1 Fix: upgrade to 1.27.3-1
|
Original title
openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-au...
Original description
openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-auth-oauth2 is deployed in the experimental plugin mode (shared library loaded by OpenVPN via the plugin directive), clients that do not support WebAuth/SSO (e.g., the openvpn CLI on Linux) are incorrectly admitted to the VPN despite being denied by the authentication logic. The default management-interface mode is not affected because it does not use the OpenVPN plugin return-code mechanism. This issue has been patched in version 1.27.3.
- https://security-tracker.debian.org/tracker/CVE-2026-41070 Vendor Advisory
Published: 8 May 2026 · Updated: 9 May 2026 · First seen: 9 May 2026