cvedb.io
CVE-2026-31893
MEDIUM · CVSS 5.5
EPSS exploitation probability: 0%
Published 2026-05-05T20:16:35.373 · Last modified 2026-06-17T10:34:42.660

Summary

Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02.

Affected products

tunnelblick — tunnelblick

Does this affect you?

Add your gear to cvedb and we'll alert you only when tunnelblick ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.