{"id":"CVE-2026-31893","summary":"Tunnelblick arbitrary file read via symlink following in tunnelblickd","details":"Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02.","aliases":["GHSA-927j-vcjf-hq69"],"modified":"2026-07-08T08:00:05.846655191Z","published":"2026-05-05T18:55:41.737Z","database_specific":{"cwe_ids":["CWE-61"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31893.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/Tunnelblick/Tunnelblick/releases/tag/v9.0beta02"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31893.json"},{"type":"ADVISORY","url":"https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-hq69"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31893"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tunnelblick/tunnelblick","events":[{"introduced":"553e3e99f73ad93620a37c87408c5d0838964310"},{"fixed":"ba7d57c175c61caceb7faa66ca0bcc4d69ce0c77"},{"introduced":"238dd15970955abe6f1b00208729ae2f9dd9c0e8"},{"fixed":"035668b12ec19bfb1685cdb871f377314eb9255d"}],"database_specific":{"cpe":["cpe:2.3:a:tunnelblick:tunnelblick:*:*:*:*:*:*:*:*","cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta01:*:*:*:*:*:*","cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta02:*:*:*:*:*:*","cpe:2.3:a:tunnelblick:tunnelblick:8.1:beta03:*:*:*:*:*:*","cpe:2.3:a:tunnelblick:tunnelblick:9.0:beta01:*:*:*:*:*:*"],"extracted_events":[{"introduced":"3.5.3"},{"fixed":"8.0.1"},{"introduced":"8.1-beta01"},{"last_affected":"8.1-beta01"},{"introduced":"8.1-beta02"},{"last_affected":"8.1-beta02"},{"introduced":"8.1-beta03"},{"last_affected":"8.1-beta03"},{"introduced":"9.0-beta01"},{"last_affected":"9.0-beta01"}],"source":["CPE_RANGE","CPE_STRING","REFERENCES"]}}],"versions":["8.1-beta01","8.1-beta02","8.1-beta03","9.0-beta01","v9.0beta01","v8.1beta03","v8.1beta02","v8.1beta01"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31893.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}]}