tunnelblick icon Tunnelblick free software for OpenVPN on macOS We need translators for several languages…

Highlighted Articles
  News
  Installing Tunnelblick
  Uninstalling Tunnelblick
  Setting up Configurations
  Using Tunnelblick
  Getting VPN Service
  Common Problems
  Configuring OpenVPN
  Release Notes
  Thanks
  FAQ

Discussion Group
  Read Before You Post

CVE-2026-31893

On This Page
    What is the vulnerability?
    Prerequisites to exploiting the vulnerability
    Exploiting the vulnerability
    Preventing an attack
    FAQ
        How can I tell if my computer is vulnerable to the attack?
        What versions of Tunnelblick are affected?
        Why are old versions of Tunnelblick not being updated to resist the attack?
        Does uninstalling Tunnelblick prevent the attack?
            What can I do to protect my computer if I uninstalled without using the built-in uninstaller or the standalone
            What can I do to protect my computer if I uninstalled by dragging the Tunnelblick application to the Trash)?

On 2026-03-09 Lee (GitHub user finder16) informed Tunnelblick developers of a security vulnerability in Tunnelblick by reporting it as a GitHub Security Advisory. This vulnerability has been assigned CVE-2026-31893. The developers released new versions of Tunnelblick to address the vulnerability on 2026-03-28.

What is the vulnerability?

The vulnerability allows an attacker to copy the contents of an any file accessible to root.

The vulnerability does not give the attacker more privileges than the logged-in administrator could obtain by providing a password, fingerprint, or other authentication and authorization, but no such authentication or authorization is required.

Prerequisites to exploiting the vulnerability

  1. A vulnerable version of Tunnelblick must have been installed at some time (even if it has been subsequently uninstalled), which required authentication and authorization by a computer administrator; AND

  2. The vulnerable version:

Exploiting the vulnerability

  1. The attacker must create a symlink to the file whose contents are to be read. No authentication or authorization will be required, even for a "standard" user. The symlink must replace an OpenVPN configuration file contained in an existing private Tunnelblick VPN Configuration or in one which was created for the attack.

  2. The attacker must execute a script or select the click the "Copy Diagnostic Data to Clipboard" button in Tunnelblick.

The contents of the file which is the target of the symlink will be placed on the Clipboard. (Certain lines of the file, assumed to be a text file, will be omitted if they appear to be inline certificates.)

Preventing an attack

Update to stable Tunnelblick 8.0.1 or later, or beta 9.0.beta02 or later, by using the built-in updater or by downloading and installing the new version over an old version. Both methods will preserve VPN configurations and settings.

If you cannot update (for example, because you are using an macOS 12 or earlier, which cannot run Tunnelblick 8.0.1 or later or 9.0.beta02 or later), the only ways to avoid the vulnerability are to:

  • Completely remove Tunnelblick by using the "Uninstall" button in the "Utilities" panel of Tunnelblick's "VPN Details" window; OR

  • If you have an old version of Tunnelblick which does not have an "Uninstall" button, use the standalone Tunnelblick Uninstaller. For details, see Uninstalling Tunnelblick; OR

  • Deleting
    /Library/LaunchDaemons/net.tunnelblick.tunnelblick.tunnelblickd.plist
    (This will will prevent the attack, although it will leave some pieces of Tunnelblick installed. An alternative is to install any version of Tunnelblick and then completely uninstall it using the built-in uninstaller or a standalone installer as described above.)

FAQ

How can I tell if my computer is vulnerable to the attack?

Your computer is vulnerable to the attack if it has:

  • A file at
    /Library/LaunchDaemons/net.tunnelblick.tunnelblick.tunnelblickd.plist

AND it does not have

  • A stable version of Tunnelblick earlier than 3.4.4 OR later than Tunnelblick 8.0 OR a beta version of Tunnelblick earlier than 3.4beta27 OR later than Tunnelblick 9.0beta02.

What versions of Tunnelblick are affected?

  • Stable versions of Tunnelblick later than 3.4.3 and earlier than Tunnelblick 8.0.1.
  • Beta versions of Tunnelblick later than 3.4beta28 and earlier than Tunnelblick 9.0beta02.

Why are old versions of Tunnelblick not being updated to resist the attack?

  • Old versions contain other serious security vulnerabilities.
  • Old versions are only required on macOS 12 or earlier, which no longer gets security updates from Apple.
  • Old versions are much more difficult for the developers to update.

Does uninstalling Tunnelblick prevent the attack?

Yes, but only if Tunnelblick was uninstalled by using its built-in uninstaller or the standalone Tunnelblick Uninstaller. Uninstallation using some third-party "uninstall" or "clean up" programs may also prevent the attack.

What can I do to protect my computer if I uninstalled without using the built-in uninstaller or the standalone Tunnelblick Uninstaller?

  • Delete
    /Library/LaunchDaemons/net.tunnelblick.tunnelblick.tunnelblickd.plist
    This will will prevent the attack, although it will leave some pieces of Tunnelblick installed. An alternative is to install any version of Tunnelblick and then completely uninstall it using the built-in uninstaller or a standalone installer as described above.

What can I do to protect my computer if I uninstalled by dragging the Tunnelblick application to the Trash)?

  • Delete
    /Library/LaunchDaemons/net.tunnelblick.tunnelblick.tunnelblickd.plist
    This will will prevent the attack, although it will leave some pieces of Tunnelblick installed. An alternative is to install any version of Tunnelblick and then completely uninstall it using the built-in uninstaller or a standalone installer as described above.

2026-03-09 Initial report from Lee (GitHub user finder16) to Tunnelblick developers.

2026-03-10 Tunnelblick developers understand and can reproduce the problem.

2026-03-10 GItHub issues CVE-2026-31893 to this vulnerability.

2026-03-13 Tunnelblick developers have an initial fix for the problem and started testing and refining it.

2026-03-23 Testing of initial fixes for stable and release versions of Tunnelblick passed testing byTunnelblick developers and GitHub user finder16.

2026-03-28 Tunnelblick 8.0.1 and 9.0beta02, which fix the vulnerability, were released and an initial version of this page, without details about the vulnerability, was published.

2026-05-01 This page was updated with details, and details were published on GitHub as Local Arbitrary File Read via Symlink Following in tunnelblickd.