CVE-2026-41070: openvpn-auth-oauth2 Critical Bypass in Plugin Mode

A critical authentication bypass (CVE-2026-41070) has been identified in openvpn-auth-oauth2 versions 1.26.3 through 1.27.2. The National Vulnerability Database reports that when this OpenVPN plugin is deployed in its experimental plugin mode, clients that do not support WebAuth/SSO – such as the standard OpenVPN CLI on Linux – can bypass authentication logic and gain unauthorized VPN access, even if denied by the OIDC-based SSO flow.

This vulnerability carries a CVSS score of 10.0 (CRITICAL), indicating severe impact with no authentication required for exploitation. The issue specifically affects deployments where openvpn-auth-oauth2 is loaded via the plugin directive in OpenVPN. The default management-interface mode is not affected, as it does not rely on the OpenVPN plugin’s return-code mechanism for authentication decisions.

Defenders must recognize that this isn’t a theoretical flaw; it’s a fundamental breakdown of access control. An attacker doesn’t need to guess credentials or exploit a complex chain. They just need to connect with a non-SSO client to bypass the intended security gates. The National Vulnerability Database confirms that this has been patched in version 1.27.3, making immediate upgrades non-negotiable for affected deployments.