Skip to main content

Tunnelblick EUVDEUVD-2026-27434

| CVE-2026-31893 MEDIUM
UNIX Symbolic Link (Symlink) Following (CWE-61)
2026-05-05 GitHub_M
6.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 05, 2026 - 22:00 vuln.today
Analysis Generated
May 05, 2026 - 22:00 vuln.today
Patch available
May 05, 2026 - 21:02 EUVD
CVSS changed
May 05, 2026 - 20:22 NVD
6.8 (MEDIUM)

DescriptionGitHub Advisory

Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02.

AnalysisAI

Arbitrary file read as root via symlink following vulnerability in Tunnelblick versions 3.3beta26 through 9.0beta01 allows any local user to exploit tunnelblick-helper through the world-accessible tunnelblickd Unix socket to read arbitrary root-owned files. The vulnerability exists because tunnelblick-helper constructs paths to configuration files within user-controlled directories and reads them as root without validating symlinks, enabling attackers to redirect reads to sensitive files. Vendor-released patch available in version 9.0beta02. SSVC framework identifies this as exploitable with publicly available proof-of-concept code but not automatically exploitable.

Technical ContextAI

Tunnelblick is a graphical OpenVPN client for macOS that uses a privileged helper process named tunnelblick-helper to perform operations requiring root access. The vulnerability roots in CWE-61 (symlink following) where the helper process constructs file paths by joining user-controlled directories with hardcoded filenames without canonical path validation. The tunnelblickd Unix domain socket is created with overly permissive mode 0666, allowing any local user to connect regardless of privilege level, and no authentication or authorization checks validate the connecting client's identity or permissions. When a user requests tunnelblick-helper to read a configuration file from a .tblk bundle, the process follows symlinks without resolving the canonical path, allowing an attacker to redirect reads to arbitrary files outside the intended directory.

RemediationAI

Upgrade immediately to Tunnelblick version 9.0beta02 or later, which includes the security fix confirmed in the official release notes at https://github.com/Tunnelblick/Tunnelblick/releases/tag/v9.0beta02. The vendor notes that updating from certain older versions may require 60-90 seconds and may prompt for additional administrator authorization. For environments unable to immediately upgrade, restrict local user access to macOS systems running vulnerable Tunnelblick versions; this does not eliminate the vulnerability but reduces the pool of potential attackers to trusted users. Additionally, monitor the tunnelblickd socket for unexpected connections and audit file access patterns in privileged processes using macOS audit frameworks (audit(4) and log(1) tools) to detect exploitation attempts. However, these compensating controls are temporary measures only and should not delay patching.

Share

EUVD-2026-27434 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy