Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31893.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-61"
]
}{
"cpe": [
"cpe:2.3:a:tunnelblick:tunnelblick:*:*:*:*:*:*:*:*",
"cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta01:*:*:*:*:*:*",
"cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta02:*:*:*:*:*:*",
"cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta03:*:*:*:*:*:*",
"cpe:2.3:a:tunnelblick:tunnelblick:9.0:beta01:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "3.5.3"
},
{
"fixed": "8.0.1"
},
{
"introduced": "8.1-beta01"
},
{
"last_affected": "8.1-beta01"
},
{
"introduced": "8.1-beta02"
},
{
"last_affected": "8.1-beta02"
},
{
"introduced": "8.1-beta03"
},
{
"last_affected": "8.1-beta03"
},
{
"introduced": "9.0-beta01"
},
{
"last_affected": "9.0-beta01"
}
],
"source": [
"CPE_RANGE",
"CPE_STRING",
"REFERENCES"
]
}