CVE-2026-9560 PUBLISHED

Assigner: OpenVPN
Reserved: 26.05.2026 Published: 26.05.2026 Updated: 27.05.2026

Privilege escalation via background service of OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows attackers to execute arbitrary commands with elevated privileges via local IPC channel

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.4
CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 8.9

Product Status

Vendor OpenVPN Inc
Product OpenVPN Connect
Versions Default: unaffected
  • affected from 3.5.1 to 3.8.1 (incl.)

References

Problem Types

  • CWE-78 CWE
  • CWE-267 Privilege defined with unsafe actions CWE
  • CWE-270 Privilege context switching error CWE
  • CWE-648 Incorrect use of privileged APIs CWE