Platform
freebsd
Component
core
Fixed in
26.1.5
CVE-2026-30868 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in OPNsense Core, a FreeBSD-based firewall and routing platform. This flaw allows an attacker to trigger privileged backend actions, potentially leading to service reloads and configuration modifications. The vulnerability impacts versions of OPNsense Core up to and including 26.1.4, and a patch is available in version 26.1.4.
An attacker exploiting CVE-2026-30868 could craft a malicious website that, when visited by an authenticated OPNsense user, triggers backend actions without the user's knowledge. This could involve reloading services, modifying firewall rules, or altering other critical configurations. The impact is significant because it allows for unauthorized changes to the firewall's behavior, potentially compromising network security. Successful exploitation requires the user to be authenticated within the OPNsense web interface and visit the attacker-controlled website. The blast radius extends to the entire network protected by the OPNsense firewall, as configuration changes can affect all connected devices.
CVE-2026-30868 was publicly disclosed on 2026-03-11. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation. The vulnerability's reliance on user authentication makes it somewhat less likely to be exploited at scale compared to vulnerabilities that do not require authentication.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-30868 is to upgrade OPNsense Core to version 26.1.4 or later, which includes the necessary CSRF protection. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting access to the MVC API endpoints from untrusted networks. While not a complete solution, enabling stricter HTTP headers (e.g., X-Frame-Options) can help mitigate the risk. Monitor OPNsense logs for suspicious activity, particularly requests originating from unusual sources or targeting sensitive API endpoints. After upgrading, confirm the fix by attempting to trigger a configuration change via a GET request from a separate browser session – the request should be rejected due to CSRF protection.
Update OPNsense to version 26.1.4 or higher. This version fixes the CSRF vulnerability in the MVC API endpoints. The update will prevent malicious websites from executing privileged actions on your behalf.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30868 is a Cross-Site Request Forgery (CSRF) vulnerability in OPNsense Core versions up to 26.1.4, allowing attackers to trigger actions as an authenticated user.
You are affected if you are running OPNsense Core version 26.1.4 or earlier. Upgrade to 26.1.4 to mitigate the risk.
Upgrade OPNsense Core to version 26.1.4 or later. As a temporary workaround, restrict access to the MVC API endpoints from untrusted networks.
There is currently no evidence of active exploitation in the wild, but the vulnerability has been added to the CISA KEV catalog.
Refer to the official OPNsense security advisory on their website for detailed information and updates: [https://opnsense.org/security/advisories/](https://opnsense.org/security/advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.