CVE-2026-31893

May 5, 2026, 8:16 p.m.

6.8
Medium

Description

Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02.

Product(s) Impacted

Vendor Product Versions
Tunnelblick
  • Tunnelblick
  • 3.3beta26-9.0beta01

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-61
UNIX Symbolic Link (Symlink) Following
The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a tunnelblick tunnelblick 3.3beta26-9.0beta01 / / / / / / /

References

https://github.com/Tunnelblick/Tunnelblick/releases/tag/v9.0beta02
https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-hq69
https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-hq69

Tags

[email protected]
CWE-61
2026-05-05
CVE-2026-31893

CVSS Score

6.8 / 10

CVSS Data - 4.0

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: LOW
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: May 5, 2026, 8:16 p.m.
Last Modified: May 5, 2026, 8:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.