This page lists publicly disclosed CVE vulnerabilities affecting openvpn openvpn (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-15497 | Insufficient epoch key slot processing in OpenVPN 2.7_alpha1 through 2.7_rc5 allows remote authenticated users to trigger an assert resulting in a denial of service | [email protected] | 3.8 | 0.32% | 2026-01-30 | 2026-06-17 |
| CVE-2025-13086 | Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for the originating client | [email protected] | 4.6 | 0.61% | 2025-12-03 | 2026-06-17 |
| CVE-2025-13751 | Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service. | [email protected] | 1.3 | 0.15% | 2025-12-03 | 2026-06-17 |
| CVE-2025-12106 | Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-read when parsing IP addresses | [email protected] | 9.1 | 0.53% | 2025-12-01 | 2026-06-17 |
| CVE-2024-4877 | OpenVPN version 2.4.0 through 2.6.10 on Windows allows an external, lesser privileged process to create a named pipe which the OpenVPN GUI component would connect to allowing it to escalate its privileges | [email protected] | 8.8 | 0.41% | 2025-04-03 | 2026-06-17 |
| CVE-2025-2704 | OpenVPN version 2.6.1 through 2.6.13 in server mode using TLS-crypt-v2 allows remote attackers to trigger a denial of service by corrupting and replaying network packets in the early handshake phase | [email protected] | 7.5 | 0.78% | 2025-04-02 | 2026-06-17 |
| CVE-2024-5594 | OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which an attacker controlling the server can use to inject unexpected arbitrary data ending up in client logs. | [email protected] | 9.1 | 0.81% | 2025-01-06 | 2026-06-17 |
| CVE-2024-28882 | OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session | [email protected] | 4.3 | 0.67% | 2024-07-08 | 2026-06-17 |
| CVE-2024-27903 | OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service. | [email protected] | 9.8 | 8.92% | 2024-07-08 | 2026-06-17 |
| CVE-2024-27459 | The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges. | [email protected] | 7.8 | 8.26% | 2024-07-08 | 2026-06-17 |
| CVE-2024-24974 | The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to interact with the privileged OpenVPN interactive service. | [email protected] | 7.5 | 9.76% | 2024-07-08 | 2026-06-17 |
| CVE-2023-46850 | Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer. | [email protected] | 9.8 | 1.98% | 2023-11-10 | 2026-06-23 |
| CVE-2023-46849 | Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service. | [email protected] | 7.5 | 1.14% | 2023-11-10 | 2026-06-17 |
| CVE-2020-20813 | Control Channel in OpenVPN 2.4.7 and earlier allows remote attackers to cause a denial of service via crafted reset packet. | [email protected] | 7.5 | 0.69% | 2023-08-22 | 2026-06-16 |
| CVE-2022-0547 | OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials. | [email protected] | 9.8 | 3.52% | 2022-03-18 | 2026-06-17 |
| CVE-2021-3547 | OpenVPN 3 Core Library version 3.6 and 3.6.1 allows a man-in-the-middle attacker to bypass the certificate authentication by issuing an unrelated server certificate using the same hostname found in the verify-x509-name option in a client configuration. | [email protected] | 7.4 | 0.97% | 2021-07-12 | 2026-06-17 |
| CVE-2021-3606 | OpenVPN before version 2.5.3 on Windows allows local users to load arbitrary dynamic loadable libraries via an OpenSSL configuration file if present, which allows the user to run arbitrary code with the same privilege level as the main OpenVPN process (openvpn.exe). | [email protected] | 7.8 | 0.34% | 2021-07-02 | 2026-06-17 |
| CVE-2020-15078 | OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. | [email protected] | 7.5 | 5.11% | 2021-04-26 | 2026-06-16 |
| CVE-2020-11810 | An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. T | [email protected] | 3.7 | 1.61% | 2020-04-27 | 2026-06-16 |
| CVE-2018-9336 | openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x before 2.4.6 allows a local attacker to cause a double-free of memory by sending a malformed request to the interactive service. This could cause a denial-of-service through memory corruption or possibly have unspecified other impact including privilege escalation. | [email protected] | 7.8 | 0.61% | 2018-05-01 | 2026-06-16 |