Skip to main content

OpenVPN Connect CVE-2026-9560

| EUVDEUVD-2026-31941 CRITICAL
OS Command Injection (CWE-78)
2026-05-26 OpenVPN GHSA-26rp-gp3x-v78c
9.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 08:32 vuln.today
CVSS changed
May 26, 2026 - 18:22 NVD
9.4 (CRITICAL)
CVE Published
May 26, 2026 - 17:39 nvd
CRITICAL 9.4

DescriptionCVE.org

Privilege escalation via background service of OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows attackers to execute arbitrary commands with elevated privileges via local IPC channel

AnalysisAI

Local privilege escalation in OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows unprivileged local users to execute arbitrary OS commands as root by abusing an exposed local IPC channel to the privileged background service. The flaw carries a CVSS 4.0 score of 9.4 with scope change (SC:H/SI:H/SA:H), and SSVC rates technical impact as total, though there is no public exploit identified at time of analysis and EPSS is only 0.04%.

Technical ContextAI

OpenVPN Connect for macOS ships a privileged background helper (typically a launchd-managed service running as root) that performs VPN configuration, routing, and tunnel setup on behalf of the unprivileged GUI client. The two components communicate over a local IPC channel (Unix domain socket or Mach service). CWE-78 (OS Command Injection) indicates that input received on this IPC channel is passed to a shell or command interpreter without adequate neutralization, so a local caller can splice shell metacharacters or extra arguments into a command the helper executes as root. The CPE cpe:2.3:a:openvpn_inc:openvpn_connect identifies the OpenVPN Inc. Connect client as the affected product, and the vector AV:L confirms the attacker must already be a local user on the macOS host.

RemediationAI

Upgrade OpenVPN Connect for macOS to a version newer than 3.8.1 as published in the vendor release notes at https://openvpn.net/connect-docs/macos-release-notes.html; the input data does not name an exact fixed build, so administrators should consult those release notes for the first version above 3.8.1 that explicitly addresses CVE-2026-9560. Until patched, restrict who can log into affected Macs and consider unloading or disabling the privileged OpenVPN Connect launchd helper (which prevents establishing new VPN tunnels until reloaded), or temporarily uninstalling the client and routing users through an alternative VPN client on shared or multi-user macOS hosts. Monitor endpoint telemetry for unexpected child processes spawned by the OpenVPN Connect helper service as a detective control.

Share

CVE-2026-9560 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy