OpenBSD vulnerability allows auth bypass using empty credentials

RESEARCHERS have disclosed a critical vulnerability in OpenBSD, tracked as CVE-2026-55706, which allows an authentication bypass due to improper handling of PAP login credentials. The vulnerability has existed for 27 years and can be exploited by supplying empty fields for the username and password, allowing unauthorized access without credentials. Users are advised to update to the patched version released on June 14, 2026, which corrects the flaw by implementing exact-length checks. The vulnerability primarily affects PPPoE authentication in untrusted Layer 2 segments and has a CVSS score of 5.8, indicating medium severity.