26.1.5
CVE-2026-30868 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in OPNsense Core, a FreeBSD-based firewall and routing platform. This flaw allows an attacker to trigger privileged backend actions, potentially leading to service reloads and configuration modifications. The vulnerability impacts versions of OPNsense Core up to and including 26.1.4, and a patch is available in version 26.1.4.
An attacker exploiting CVE-2026-30868 could craft a malicious website that, when visited by an authenticated OPNsense user, triggers backend actions without the user's knowledge. This could involve reloading services, modifying firewall rules, or altering other critical configurations. The impact is significant because it allows for unauthorized changes to the firewall's behavior, potentially compromising network security. Successful exploitation requires the user to be authenticated within the OPNsense web interface and visit the attacker-controlled website. The blast radius extends to the entire network protected by the OPNsense firewall, as configuration changes can affect all connected devices.
CVE-2026-30868 was publicly disclosed on 2026-03-11. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation. The vulnerability's reliance on user authentication makes it somewhat less likely to be exploited at scale compared to vulnerabilities that do not require authentication.
Organizations relying on OPNsense Core as their primary firewall solution are at risk. This includes small to medium-sized businesses, home users with advanced networking setups, and managed service providers using OPNsense in their client environments. Specifically, deployments with weak password policies or users who frequently visit untrusted websites are more vulnerable.
• linux / server:
journalctl -u opnsense -g 'MVC API endpoint' | grep -i 'GET request'• generic web:
curl -I https://<opnsense_ip>/api/endpoint | grep -i 'CSRF token'• freebsd:
capstat -s | grep -i 'MVC API endpoint'disclosure
エクスプロイト状況
EPSS
0.02% (4% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-30868 is to upgrade OPNsense Core to version 26.1.4 or later, which includes the necessary CSRF protection. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting access to the MVC API endpoints from untrusted networks. While not a complete solution, enabling stricter HTTP headers (e.g., X-Frame-Options) can help mitigate the risk. Monitor OPNsense logs for suspicious activity, particularly requests originating from unusual sources or targeting sensitive API endpoints. After upgrading, confirm the fix by attempting to trigger a configuration change via a GET request from a separate browser session – the request should be rejected due to CSRF protection.
OPNsenseをバージョン26.1.4以降にアップデートしてください。このバージョンは、MVC APIエンドポイントのCSRF脆弱性を修正しています。アップデートにより、悪意のあるウェブサイトがあなたの代わりに特権的なアクションを実行することを防ぎます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-30868 is a Cross-Site Request Forgery (CSRF) vulnerability in OPNsense Core versions up to 26.1.4, allowing attackers to trigger actions as an authenticated user.
You are affected if you are running OPNsense Core version 26.1.4 or earlier. Upgrade to 26.1.4 to mitigate the risk.
Upgrade OPNsense Core to version 26.1.4 or later. As a temporary workaround, restrict access to the MVC API endpoints from untrusted networks.
There is currently no evidence of active exploitation in the wild, but the vulnerability has been added to the CISA KEV catalog.
Refer to the official OPNsense security advisory on their website for detailed information and updates: [https://opnsense.org/security/advisories/](https://opnsense.org/security/advisories/)