What the vulnerability does

01Description

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.

Key dates

02Disclosure timeline

March 18, 2022 CVE published
November 3, 2025 Record updated