CVE-2026-31893

Source
https://cve.org/CVERecord?id=CVE-2026-31893
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31893.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31893
Aliases
  • GHSA-927j-vcjf-hq69
Published
2026-05-05T18:55:41.737Z
Modified
2026-07-08T08:00:05.846655191Z
Severity
  • 6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Tunnelblick arbitrary file read via symlink following in tunnelblickd
Details

Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31893.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-61"
    ]
}
References

Affected packages

Git / github.com/tunnelblick/tunnelblick

Affected ranges

Type
GIT
Repo
https://github.com/tunnelblick/tunnelblick
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:tunnelblick:tunnelblick:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta01:*:*:*:*:*:*",
        "cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta02:*:*:*:*:*:*",
        "cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta03:*:*:*:*:*:*",
        "cpe:2.3:a:tunnelblick:tunnelblick:9.0:beta01:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "3.5.3"
        },
        {
            "fixed": "8.0.1"
        },
        {
            "introduced": "8.1-beta01"
        },
        {
            "last_affected": "8.1-beta01"
        },
        {
            "introduced": "8.1-beta02"
        },
        {
            "last_affected": "8.1-beta02"
        },
        {
            "introduced": "8.1-beta03"
        },
        {
            "last_affected": "8.1-beta03"
        },
        {
            "introduced": "9.0-beta01"
        },
        {
            "last_affected": "9.0-beta01"
        }
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING",
        "REFERENCES"
    ]
}

Affected versions

8.*
8.1-beta01
8.1-beta02
8.1-beta03
9.*
9.0-beta01
v8.*
v8.1beta01
v8.1beta02
v8.1beta03
v9.*
v9.0beta01

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31893.json"