openvpn-auth-oauth2 bypasses SSO auth (CVE-2026-41070)

Patch now - CVE-2026-41070 is a critical authentication bypass in openvpn-auth-oauth2 versions 1.26.3 to before 1.27.3 that lets clients without WebAuth support connect to the VPN despite being denied by the OIDC SSO authentication logic. Patched in version 1.27.3 - update immediately.

Overview

CVE-2026-41070 affects the openvpn-auth-oauth2 plugin when deployed in its experimental plugin mode, where it is loaded as a shared library by OpenVPN via the plugin directive. In this mode, the plugin relies on the OpenVPN plugin return-code mechanism to communicate authentication decisions. However, clients that do not support WebAuth or SSO - such as the standard OpenVPN CLI on Linux - are incorrectly admitted to the VPN even when the plugin’s OIDC authentication logic has denied them access.

This means an attacker with network access to the VPN server can bypass the entire SSO authentication layer and gain a full VPN tunnel connection. The vulnerability carries a CVSS score of 10.0 (Critical) because it requires no privileges, no user interaction, and can be exploited remotely over the network.

The default management-interface mode is not affected because it uses a separate communication channel that does not depend on the OpenVPN plugin return-code mechanism.

Impact

Successful exploitation of CVE-2026-41070 grants an unauthenticated attacker a fully authenticated VPN session. Once connected, the attacker can access internal network resources that are only reachable through the VPN tunnel, potentially bypassing all network segmentation and access controls that depend on the SSO authentication layer.

The severity is amplified because the attacker needs no credentials, no valid session token, and no user interaction. Any client that does not support WebAuth can exploit this against a vulnerable plugin-mode deployment.

Remediation

OpenVPN has patched this vulnerability in version 1.27.3 of openvpn-auth-oauth2. All deployments using the experimental plugin mode between versions 1.26.3 and 1.27.2 must upgrade immediately.

Organizations that cannot immediately upgrade should consider switching to the default management-interface mode, which is not affected by this vulnerability. Alternatively, disable the plugin mode and use the management interface exclusively until the patch can be applied.

Security Insight

This vulnerability highlights a dangerous pattern in software development: experimental features often bypass the security hardening applied to default operational modes. The plugin return-code mechanism was designed for a different security context than OIDC-based authentication, and the two were not properly validated together. This mirrors similar incidents in other VPN and authentication products where alternative enrollment or re-auth paths accidentally opened access to denied users. Vendors should treat experimental features with the same threat-modeling rigor as production features, and organizations should be cautious about enabling non-default modes in authentication-critical components.

Related Reading

• CISA Adds Actively Exploited Linux Root Bug CVE-2026-31
• Weekly Threat Roundup: Apache & cPanel Zero-Days (Apr 27 - May 3)
• Nine CrackArmor Flaws in Linux AppArmor Enable Root

Further Reading

• CISA Adds Actively Exploited Linux Root Bug CVE-2026-31
• Weekly Threat Roundup: Apache & cPanel Zero-Days (Apr 27 - May 3)
• Nine CrackArmor Flaws in Linux AppArmor Enable Root
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs