CVE-2026-9560

HIGH

OpenVPN Connect < 3.8.1 - Privilege Defined With Unsafe Actions

Title source: rule

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-9560. PoCs published by HORKimhab, dninhl.

AI-analyzed exploit summary The repository contains no functional exploit code, only a template file and a generic README with placeholder instructions. It lacks technical details about CVE-2026-9560 or any proof-of-concept implementation.

Description

Privilege escalation via background service of OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows attackers to execute arbitrary commands with elevated privileges via local IPC channel

Exploits (2)

nomisec STUB

by HORKimhab · poc

https://github.com/HORKimhab/CVE-2026-9560

View Code ZIP pw:eip

The repository contains no functional exploit code, only a template file and a generic README with placeholder instructions. It lacks technical details about CVE-2026-9560 or any proof-of-concept implementation.

Classification

Stub 95%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unspecified

No auth needed

Prerequisites: none

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Jun 01, 2026 Full analysis →

nomisec WORKING POC

by dninhl · poc

https://github.com/dninhl/CVE-2026-9560

View Code ZIP pw:eip

This Python script exploits a local privilege escalation (LPE) vulnerability in OpenVPN Connect's ovpnhelper service via a Unix socket. It injects a base64-encoded reverse shell payload into the service, which executes as root, providing an interactive shell.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: OpenVPN Connect (ovpnhelper service)

No auth needed

Prerequisites: Access to the Unix socket at /var/run/ovpnhelper_service.sock · Python 3 environment

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed May 29, 2026 Full analysis →

References (1)

Core 1

Core References

Release Notes release-notes

https://openvpn.net/connect-docs/macos-release-notes.html

Scores

CVSS v3 7.8

EPSS 0.0006

EPSS Percentile 17.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-267 CWE-270 CWE-648 CWE-78

Status published

Products (2)

openvpn/connect 3.5.1 - 3.8.2

OpenVPN Inc/OpenVPN Connect 3.5.1 - 3.8.1

Published May 26, 2026

Tracked Since May 26, 2026