{"id":"CVE-2025-13086","details":"Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client","modified":"2026-07-08T08:11:56.704760289Z","published":"2025-12-03T19:54:10.737Z","related":["SUSE-SU-2026:0831-1","SUSE-SU-2026:20196-1","openSUSE-SU-2026:20137-1"],"database_specific":{"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"2.6.0"},{"last_affected":"2.6.15"},{"introduced":"2.7_alpha1"},{"last_affected":"2.7_rc1"}]},{"source":"DESCRIPTION","extracted_events":[{"introduced":"2.6.0"},{"fixed":"2.6.15"},{"introduced":"2.7_alpha1"},{"fixed":"2.7_rc1"}]}],"cna_assigner":"OpenVPN","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/13xxx/CVE-2025-13086.json","cwe_ids":["CWE-940"]},"references":[{"type":"ADVISORY","url":"https://community.openvpn.net/Security%20Announcements/CVE-2025-13086"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/13xxx/CVE-2025-13086.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13086"},{"type":"ADVISORY","url":"https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00151.html"},{"type":"ADVISORY","url":"https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00152.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openvpn/openvpn","events":[{"introduced":"b999466418dddb89721be5455f03bacd9b221b1d"},{"fixed":"647b115111079fcfd4e6dc9a8b3a090cfe7c3d93"},{"introduced":"5d3f3556a1f7cb26a2fb5e1c8299f03d0487cc6f"}],"database_specific":{"source":["CPE_RANGE","CPE_STRING"],"cpe":["cpe:2.3:a:openvpn:openvpn:*:*:*:*:community:*:*:*","cpe:2.3:a:openvpn:openvpn:2.7:alpha1:*:*:community:*:*:*","cpe:2.3:a:openvpn:openvpn:2.7:alpha2:*:*:community:*:*:*","cpe:2.3:a:openvpn:openvpn:2.7:alpha3:*:*:community:*:*:*","cpe:2.3:a:openvpn:openvpn:2.7:beta1:*:*:community:*:*:*","cpe:2.3:a:openvpn:openvpn:2.7:beta2:*:*:community:*:*:*","cpe:2.3:a:openvpn:openvpn:2.7:beta3:*:*:community:*:*:*","cpe:2.3:a:openvpn:openvpn:2.7:rc1:*:*:community:*:*:*"],"extracted_events":[{"introduced":"2.6.0"},{"fixed":"2.6.16"},{"introduced":"2.7-alpha1"},{"last_affected":"2.7-alpha1"},{"introduced":"2.7-alpha2"},{"last_affected":"2.7-alpha2"},{"introduced":"2.7-alpha3"},{"last_affected":"2.7-alpha3"},{"introduced":"2.7-beta1"},{"last_affected":"2.7-beta1"},{"introduced":"2.7-beta2"},{"last_affected":"2.7-beta2"},{"introduced":"2.7-beta3"},{"last_affected":"2.7-beta3"},{"introduced":"2.7-rc1"},{"last_affected":"2.7-rc1"}]}}],"versions":["2.7-alpha1","2.7-alpha2","2.7-alpha3","2.7-beta1","2.7-beta2","2.7-beta3","2.7-rc1","v2.6.15","v2.6.14","v2.6.13","v2.6.12","v2.6.11","v2.6.10","v2.6.9","v2.6.8","v2.6.7","v2.6.6","v2.6.5","v2.6.4","v2.6.3","v2.6.2","v2.6.1","v2.6.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13086.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"}]}