Critical OpenVPN Connect for macOS Vulnerability Lets Attackers Execute Arbitrary Commands as Root
A critical privilege escalation vulnerability (CVE-2026-9560, CVSS 9.4) in OpenVPN Connect for macOS allows local attackers to execute arbitrary commands as root via the privileged helper component's IPC channel.
A critical privilege escalation vulnerability has been discovered in OpenVPN Connect for macOS, enabling local attackers to execute arbitrary commands with elevated privileges through the application's background service component. Tracked as CVE-2026-9560, the flaw affects all versions from 3.5.1 through 3.8.1 and has been assigned a CVSS 4.0 base score of 9.4 (Critical).
The security flaw resides in OpenVPN Connect's macOS privileged helper component, a background service responsible for managing VPN connections with elevated system privileges. The vulnerability is classified under CWE-78 (OS Command Injection) and is exploitable via a local IPC (Inter-Process Communication) channel. By communicating directly with this background service through the local IPC channel, a threat actor already present on the system can inject and execute arbitrary OS commands as root without requiring user interaction.
The flaw was responsibly disclosed and credited to security researchers Ismael Esquilichi, Pablo Redondo, and Lê Đức Ninh. As of publication, there are no public proof-of-concept exploits and no confirmed cases of active exploitation in the wild. However, given the high CVSS score and the nature of the vulnerability, security teams should treat this as a high-priority patch.
Alongside the critical CVE fix, OpenVPN also addressed two other bugs in the same release: a browser authentication failure where a server URL ending with /, ?, or # prevented the app from launching the browser for web-based authentication, and a blank profile import crash where the manual profile import screen appeared unexpectedly, potentially causing a blank profile to be imported or the app to crash when switching profiles.
Mitigation steps for security teams and macOS users running OpenVPN Connect include updating immediately to the latest version beyond 3.8.1, restricting local access to all systems running affected versions, monitoring for unusual IPC communication with OpenVPN background processes, and auditing endpoint access controls to minimize local attack surface on managed devices.
Given that this is a local privilege escalation flaw, organizations should treat any unpatched endpoint as a potential lateral movement risk, particularly in environments where multiple users share access to macOS systems. The vulnerability underscores the importance of securing privileged helper components in macOS applications, as they often run with root privileges and can become attractive targets for attackers seeking to escalate from user-level access to full system control.