CVE-2025-50055

The SAML Authentication module in OpenVPN Access Server versions 2.14.0 through 2.14.3 contains a cross-site scripting (XSS) vulnerability. The issue lies in the handling of the RelayState parameter within the SAML Assertion Consumer Service (ACS) endpoint. An attacker who controls a configured remote SAML ACS endpoint server can inject arbitrary web script or HTML via this parameter.

Exploitation requires the attacker to be a configured remote SAML ACS endpoint server, meaning they must have control over a SAML identity provider or ACS endpoint trusted by the OpenVPN Access Server. The attacker can craft a malicious RelayState value that, when processed by the ACS endpoint, executes script in the context of the admin web UI or user session.

Successful exploitation could allow the attacker to perform actions on behalf of an authenticated administrator or user, such as stealing session cookies, redirecting to malicious sites, or modifying settings. The CVSS score of 6.4 indicates medium severity, likely due to the requirement of a configured remote endpoint.

The vulnerability is fixed in OpenVPN Access Server versions beyond 2.14.3. Users should upgrade to the latest version as recommended in the release notes [1].