Critical Privilege Escalation Flaw Discovered in OpenVPN Connect for macOS A critical vulnerability (CVE-2026-9560) has been identified in OpenVPN Connect for macOS, allowing local attackers to execute arbitrary commands with root privileges. The flaw, rated 9.4 (Critical) on the CVSS 4.0 scale, affects versions 3.5.1 through 3.8.1 and stems from an OS command injection weakness (CWE-78) in the application’s privileged helper component. The vulnerability enables threat actors with local system access to exploit an Inter-Process Communication (IPC) channel, injecting malicious commands into OpenVPN’s background service without user interaction. Security researchers Ismael Esquilichi, Pablo Redondo, and Lê Đức Ninh were credited with the responsible disclosure. As of now, no public proof-of-concept exploits or active attacks have been reported. OpenVPN addressed the flaw in a recent update, alongside two additional fixes: a browser authentication failure triggered by malformed server URLs and a UI bug causing crashes during blank profile imports. Organizations using affected versions are advised to update immediately to mitigate potential lateral movement risks, particularly in shared macOS environments. Unpatched systems should be treated as high-risk endpoints.

A critical buffer overflow vulnerability in OpenVPN’s data channel offload driver for Windows allowed local attackers to crash systems by sending maliciously crafted control messages. The vulnerability, identified as CVE-2025-50054, affects versions 1.3.0 and earlier, as well as version 2.5.8 and earlier. This denial-of-service risk could repeatedly crash Windows machines running vulnerable OpenVPN installations, impacting system availability without compromising data confidentiality or integrity. OpenVPN 2.7_alpha2 fixes the issue and improves Windows support, but users should update promptly and restrict driver access until stable patches are available.