CVE-2026-31893

Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Tunnelblick/Tunnelblick/releases/tag/v9.0beta02	Product Release Notes
https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-hq69	Exploit Vendor Advisory
https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-hq69	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:tunnelblick:tunnelblick::::::::
	cpe:2.3:a:tunnelblick:tunnelblick:3.3:beta26::::::
	cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta01::::::
	cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta02::::::
	cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta03::::::
	cpe:2.3:a:tunnelblick:tunnelblick:9.0:beta01::::::

History

01 Jun 2026, 17:04

Type	Values Removed	Values Added
References	~~() https://github.com/Tunnelblick/Tunnelblick/releases/tag/v9.0beta02 -~~	() https://github.com/Tunnelblick/Tunnelblick/releases/tag/v9.0beta02 - Product, Release Notes
References	~~() https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-hq69 -~~	() https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-hq69 - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CPE		cpe:2.3:a:tunnelblick:tunnelblick:3.3:beta26:::::: cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta02:::::: cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta01:::::: cpe:2.3:a:tunnelblick:tunnelblick:9.0:beta01:::::: cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta03:::::: cpe:2.3:a:tunnelblick:tunnelblick::::::::
First Time		Tunnelblick Tunnelblick tunnelblick

05 May 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-05 20:16

Updated : 2026-06-01 17:04

NVD link : CVE-2026-31893

Mitre link : CVE-2026-31893

CVE.ORG link : CVE-2026-31893

JSON object : View

Products Affected

tunnelblick

tunnelblick

CWE

CWE-61

UNIX Symbolic Link (Symlink) Following

5.5 /10