Critical Privilege Escalation Flaw Fixed in OpenVPN Connect for macOS

Security researchers recently discovered a severe security flaw in a popular virtual private network client. Specifically, developers patched a critical OpenVPN Connect macOS vulnerability tracking as CVE-2026-9560. This high-severity flaw carries an alarming CVSS score of 9.4. Consequently, local attackers can exploit the gap to gain full administrative control over a compromised Apple system. Therefore, enterprise software managers must deploy the latest client updates immediately to secure corporate endpoints.

The Mechanics of the Local IPC Exploit

The underlying technical issue resides inside the software’s background infrastructure. To begin with, the flaw impacts OpenVPN Connect versions 3.5.1 through 3.8.1 on macOS platforms. In these versions, the macOS privileged helper component handles local inter-process communication (IPC) insecurely. Furthermore, an attacker can transmit manipulated inputs through this local IPC channel to trick the background service. As a result, the malicious command runs with elevated root privileges automatically. Fortunately, researchers Ismael Esquilichi, Pablo Redondo, and Lê Đức Ninh discovered and responsibly reported this critical vulnerability.

Additional Bug Fixes in Version 3.8.2

In addition to fixing the OpenVPN Connect macOS vulnerability, the new v3.8.2 update resolves several functional bugs. First, developers fixed a web-based authentication glitch. Previously, entering specific trailing characters like a slash or question mark broke the authentication process entirely. Specifically, these characters prevented the app from launching the browser for web-based authentication.

Second, the engineering team addressed a severe profile management issue. During profile switches, the application sometimes displayed the manual profile import screen unexpectedly. Consequently, this interface error could result in a blank profile being imported into the system. Alternatively, the app would crash immediately during the profile migration sequence. Fortunately, upgrading to the latest version completely stabilizes the software and eliminates these dangerous flaws.