{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/jkroepke/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openvpn-auth-oauth2"],"_cs_severities":["critical"],"_cs_tags":["openvpn","authentication-bypass","vpn"],"_cs_type":"advisory","_cs_vendors":["jkroepke"],"content_html":"\u003cp\u003eOpenVPN-auth-oauth2, a plugin for OpenVPN, is susceptible to an authentication bypass vulnerability in versions 1.26.3 through 1.27.2 when deployed in the experimental plugin mode. This flaw allows unauthenticated VPN access for clients that do not support WebAuth/SSO. Specifically, standard OpenVPN clients like the Linux CLI \u003ccode\u003eopenvpn\u003c/code\u003e, which do not advertise WebAuth/SSO support (\u003ccode\u003eIV_SSO=webauth\u003c/code\u003e), can bypass OIDC authentication and gain full network access. The default management-interface mode is not affected. Successful exploitation grants unauthorized access to the internal network behind the VPN. This vulnerability is addressed in version 1.27.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OpenVPN server running openvpn-auth-oauth2 in experimental plugin mode (versions 1.26.3 - 1.27.2).\u003c/li\u003e\n\u003cli\u003eAttacker uses a standard OpenVPN client (e.g., Linux \u003ccode\u003eopenvpn\u003c/code\u003e CLI) that does not support WebAuth/SSO.\u003c/li\u003e\n\u003cli\u003eThe client initiates a connection to the OpenVPN server, bypassing the expected WebAuth/SSO flow.\u003c/li\u003e\n\u003cli\u003eThe openvpn-auth-oauth2 plugin attempts to deny the client by writing \u0026ldquo;0\u0026rdquo; to the \u003ccode\u003eauth_control_file\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe plugin incorrectly returns \u003ccode\u003eOPENVPN_PLUGIN_FUNC_SUCCESS\u003c/code\u003e to the OpenVPN server.\u003c/li\u003e\n\u003cli\u003eOpenVPN interprets the \u003ccode\u003eFUNC_SUCCESS\u003c/code\u003e return code as successful authentication, ignoring the \u0026ldquo;0\u0026rdquo; in the \u003ccode\u003eauth_control_file\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe OpenVPN server grants the unauthenticated client full access to the internal network behind the VPN.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to internal resources and performs malicious activities such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants unauthenticated attackers full access to the internal network behind the OpenVPN server. This could lead to data breaches, lateral movement within the network, and potential compromise of sensitive systems. The vulnerability affects any deployment using the experimental plugin mode with vulnerable versions. This could result in significant financial losses, reputational damage, and legal repercussions for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade to openvpn-auth-oauth2 version 1.27.3 to apply the fix described in commit \u003ca href=\"https://github.com/jkroepke/openvpn-auth-oauth2/commit/36f69a6c67c1054da7cbfa04ced3f0555127c8f2\"\u003e\u003ccode\u003e36f69a6\u003c/code\u003e\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not feasible, switch to the standalone management client mode (the default, non-plugin deployment) as a workaround.\u003c/li\u003e\n\u003cli\u003eMonitor OpenVPN server logs for connection attempts from clients that do not support WebAuth/SSO (identified by missing \u003ccode\u003eIV_SSO=webauth\u003c/code\u003e in the logs) and correlate with network access activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T14:29:22Z","date_published":"2026-04-22T14:29:22Z","id":"/briefs/2026-04-openvpn-auth-bypass/","summary":"A critical authentication bypass vulnerability exists in openvpn-auth-oauth2 versions 1.26.3 through 1.27.2 when deployed in the experimental plugin mode; clients that do not support WebAuth/SSO are incorrectly granted VPN access without completing OIDC authentication.","title":"OpenVPN-auth-oauth2 Authentication Bypass in Plugin Mode","url":"https://feed.craftedsignal.io/briefs/2026-04-openvpn-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Jkroepke","version":"https://jsonfeed.org/version/1.1"}