OpenVPN Connect 3.5.13.8.1 MacOS PrivEsc via IPC channel
CVE-2026-9560 Published on May 26, 2026
Privilege escalation via background service of OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows attackers to execute arbitrary commands with elevated privileges via local IPC channel
Weakness Types
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2026-9560 has been classified to as a Shell injection vulnerability or weakness.
Privilege Defined With Unsafe Actions
A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.
Privilege Context Switching Error
The software does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.
Incorrect Use of Privileged APIs
The application does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.
Products Associated with CVE-2026-9560
Want to know whenever a new CVE is published for OpenVPN Connect? stack.watch will email you.
Affected Versions
OpenVPN Inc OpenVPN Connect:- Version 3.5.1, <= 3.8.1 is affected.