Scan free
CRITICALCVE-2026-44194CVSS 9.1

CVE-2026-44194: RCE in OPNsense Core Firewall

Platform

linux

Component

opnsense

Fixed in

26.1.8

View on NVD
Save

CVE-2026-44194 is a critical Remote Code Execution (RCE) vulnerability discovered in OPNsense Core, a FreeBSD-based firewall and routing platform. This flaw allows authenticated users with user-management privileges to execute arbitrary system commands as root, effectively granting them complete control over the system. The vulnerability affects versions 26.1.0 through 26.1.7 and has been resolved in version 26.1.8.

Impact and Attack Scenarios

The impact of this vulnerability is severe. An attacker who successfully exploits CVE-2026-44194 can gain root access to the OPNsense firewall, enabling them to modify firewall rules, steal sensitive data, install malware, and potentially pivot to other systems on the network. This represents a complete compromise of the firewall and its protected network. The ability to bypass input validation by crafting malicious email addresses makes exploitation relatively straightforward for a skilled attacker. This vulnerability shares similarities with other input validation bypasses that have led to full system compromise in other applications.

Exploitation Context

CVE-2026-44194 was published on May 13, 2026. Its severity is rated as CRITICAL (CVSS 9.1). Currently, there are no publicly known active campaigns exploiting this vulnerability, but the ease of exploitation and the potential impact make it a high-priority target. No KEV or EPSS score is currently available. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests it is likely to be developed.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports4 threat reports

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H9.1CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentopnsense
Vendoropnsense
Minimum version26.1.0
Maximum version< 26.1.8
Fixed in26.1.8

Weakness Classification (CWE)

CWE-78

Timeline

  1. Reserved
  2. Published

Mitigation and Workarounds

The primary mitigation for CVE-2026-44194 is to immediately upgrade OPNsense Core to version 26.1.8 or later. If upgrading is not immediately feasible, consider temporarily restricting user-management privileges to only trusted administrators. While a direct workaround is unavailable, carefully review and audit user accounts and their permissions. Monitor system logs for suspicious activity related to user synchronization. After upgrading, confirm the fix by attempting to trigger the vulnerable synchronization flow with a crafted email address; the command execution should be blocked.

How to fix

Actualice OPNsense a la versión 26.1.8 o posterior para mitigar la vulnerabilidad de ejecución remota de código. Esta actualización corrige la validación de entrada en el flujo de sincronización de usuarios locales, evitando la ejecución de comandos arbitrarios del sistema.

Frequently asked questions

What is CVE-2026-44194 — RCE in OPNsense Core?

CVE-2026-44194 is a critical Remote Code Execution vulnerability in OPNsense Core firewall versions 26.1.0 through 26.1.7. It allows authenticated users to execute commands as root.

Am I affected by CVE-2026-44194 in OPNsense Core?

If you are running OPNsense Core version 26.1.0 through 26.1.7, you are affected by this vulnerability. Upgrade to 26.1.8 or later immediately.

How do I fix CVE-2026-44194 in OPNsense Core?

The recommended fix is to upgrade OPNsense Core to version 26.1.8 or later. If immediate upgrade is not possible, restrict user-management privileges.

Is CVE-2026-44194 being actively exploited?

While there are no currently known active campaigns, the vulnerability's severity and ease of exploitation make it a likely target for attackers.

Where can I find the official OPNsense advisory for CVE-2026-44194?

Refer to the official OPNsense security advisory on their website: [https://opnsense.org/security/](https://opnsense.org/security/)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
livefree scan

Try it now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...