CVE-2026-31893

Published: Mag 05, 2026 Last Modified: Mag 05, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,8

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02.

UNIX Symbolic Link (Symlink) Following

Incomplete

Abstraction: Compound Structure: Composite

Common Consequences

Security Scopes Affected:

Confidentiality Integrity

Potential Impacts:

Read Files Or Directories Modify Files Or Directories

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: High

View CWE Details

https://github.com/Tunnelblick/Tunnelblick/security/advisor…

https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-h…

https://github.com/Tunnelblick/Tunnelblick/releases/tag/v9.…

https://github.com/Tunnelblick/Tunnelblick/releases/tag/v9.0beta02