CVE-2026-31893

5.5 MEDIUM

Tunnelblick is an open source graphic user interface for OpenVPN on macOS

Published: 2026-05-05 · Last updated: 2026-06-01

Severity and scoring

CVSS: 5.5 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-61

Affected products

Vendor	Product
tunnelblick	tunnelblick

Description

Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-31893
[Other]https://github.com/Tunnelblick/Tunnelblick/releases/tag/v9.0beta02
[Vendor advisory]https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-hq69
[Vendor advisory]https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-hq69

Related CVEs

Same CWE

CVE-2026-5223 — Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to overrid... (5.3 MEDIUM)
CVE-2026-8784 — A vulnerability was detected in npitre cramfs-tools up to 2.2 (4.2 MEDIUM)
CVE-2026-6475 — Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g (8.8 HIGH)
CVE-2026-7819 — Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager (8.1 HIGH)