CVE-2025-13086

Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://community.openvpn.net/Security%20Announcements/CVE-2025-13086	Vendor Advisory
https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00151.html	Mailing List Release Notes
https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00152.html	Mailing List Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:openvpn:openvpn:::::community:::*
	cpe:2.3:a:openvpn:openvpn:2.7:alpha1:::community:::*
	cpe:2.3:a:openvpn:openvpn:2.7:alpha2:::community:::*
	cpe:2.3:a:openvpn:openvpn:2.7:alpha3:::community:::*
	cpe:2.3:a:openvpn:openvpn:2.7:beta1:::community:::*
	cpe:2.3:a:openvpn:openvpn:2.7:beta2:::community:::*
	cpe:2.3:a:openvpn:openvpn:2.7:beta3:::community:::*
	cpe:2.3:a:openvpn:openvpn:2.7:rc1:::community:::*

History

30 Jan 2026, 18:38

Type	Values Removed	Values Added
CPE		cpe:2.3:a:openvpn:openvpn:2.7:alpha3:::community:::* cpe:2.3:a:openvpn:openvpn:2.7:alpha1:::community:::* cpe:2.3:a:openvpn:openvpn:2.7:beta2:::community:::* cpe:2.3:a:openvpn:openvpn:2.7:beta1:::community:::* cpe:2.3:a:openvpn:openvpn:::::community:::* cpe:2.3:a:openvpn:openvpn:2.7:beta3:::community:::* cpe:2.3:a:openvpn:openvpn:2.7:alpha2:::community:::* cpe:2.3:a:openvpn:openvpn:2.7:rc1:::community:::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://community.openvpn.net/Security%20Announcements/CVE-2025-13086 -~~	() https://community.openvpn.net/Security%20Announcements/CVE-2025-13086 - Vendor Advisory
References	~~() https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00151.html -~~	() https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00151.html - Mailing List, Release Notes
References	~~() https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00152.html -~~	() https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00152.html - Mailing List, Release Notes
First Time		Openvpn openvpn Openvpn

12 Dec 2025, 14:15

Type	Values Removed	Values Added
Summary	(en) Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client	(en) Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client

03 Dec 2025, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-03 20:16

Updated : 2026-01-30 18:38

NVD link : CVE-2025-13086

Mitre link : CVE-2025-13086

CVE.ORG link : CVE-2025-13086

JSON object : View

Products Affected

openvpn

openvpn

CWE

CWE-940

Improper Verification of Source of a Communication Channel

7.5 /10