CVE-2026-31893

Exploit

EPSS 0.24%
Veröffentlicht 05.05.2026 20:16:35
Zuletzt bearbeitet 01.06.2026 17:04:55
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Tunnelblick arbitrary file read via symlink following in tunnelblickd

Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 6 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tunnelblick ≫ Tunnelblick Version >= 3.5.3 < 8.0.1

Tunnelblick ≫ Tunnelblick Version3.3 Updatebeta26

Tunnelblick ≫ Tunnelblick Version8.1 Updatebeta01

Tunnelblick ≫ Tunnelblick Version8.1 Updatebeta02

Tunnelblick ≫ Tunnelblick Version8.1 Updatebeta03

Tunnelblick ≫ Tunnelblick Version9.0 Updatebeta01

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.24%	0.151

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	6.8	0	0	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-61 UNIX Symbolic Link (Symlink) Following

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

https://github.com/Tunnelblick/Tunnelblick/releases/tag/v9.0beta02

Product

Release Notes

https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-hq69

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-31893

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-31893

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-31893

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-31893