CVE-2026-30868 - Vulnerability Details

Description

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state‑changing operations but are accessible via HTTP GET requests without CSRF protection. The framework CSRF validation in ApiControllerBase only applies to POST/PUT/DELETE methods, allowing authenticated GET requests to bypass CSRF verification. As a result, a malicious website can trigger privileged backend actions when visited by an authenticated user, causing unintended service reloads and configuration changes through configd. This results in an authenticated Cross‑Site Request Forgery vulnerability allowing unauthorized system state changes. This vulnerability is fixed in 26.1.4.

Published: 2026-03-11

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability allows an attacker to execute authenticated CSRF attacks against OPNsense. Multiple MVC API endpoints can perform state‑changing operations when accessed with HTTP GET requests without CSRF validation. A malicious website can cause an authenticated user to trigger privileged backend actions, resulting in unintended service reloads and configuration changes via configd. The primary impact is the ability to alter system configuration while the user is authenticated, which can lead to denial of service or other unintended behavior.

Affected Systems

All OPNsense core installations with versions prior to 26.1.4 are affected. The vendor identified the product as opnsense:core. The specific affected releases are those older than 26.1.4, as noted in the vendor advisory.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity vulnerability. The EPSS score is below 1%, suggesting that current exploitation attempts are low. The vulnerability is not listed in the CISA KEV catalog. Exposition requires an authenticated session; the attack vector is a web-based CSRF triggered by a malicious site. Because the attacker needs a legitimate authenticated user to visit a malicious site, exploitation likelihood depends on user behavior and threat actor resources

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

opnsense

core

affected

Version	Status	Constraints
`< 26.1.4`	affected	—

Configuration 1 [-]

cpe:2.3:a:opnsense:opnsense:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Opnsense

Core

100%

Version	Status	Scheme	Platform
`[0,26.1.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to OPNsense 26.1.4 or later

Generated by OpenCVE AI on March 17, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/opnsense/core/security/advisories/GHSA-pp58-2qpc-3j3f

History

Tue, 17 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opnsense opnsense
CPEs		cpe:2.3:a:opnsense:opnsense::::::::
Vendors & Products		Opnsense opnsense

Thu, 12 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opnsense Opnsense core
Vendors & Products		Opnsense Opnsense core

Wed, 11 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Mar 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state‑changing operations but are accessible via HTTP GET requests without CSRF protection. The framework CSRF validation in ApiControllerBase only applies to POST/PUT/DELETE methods, allowing authenticated GET requests to bypass CSRF verification. As a result, a malicious website can trigger privileged backend actions when visited by an authenticated user, causing unintended service reloads and configuration changes through configd. This results in an authenticated Cross‑Site Request Forgery vulnerability allowing unauthorized system state changes. This vulnerability is fixed in 26.1.4.
Title		Cross-Site Request Forgery (CSRF) in opnsense/core
Weaknesses		CWE-352
References		https://github.com/opnsense/core/security/advisories/GHSA-pp58-2qpc-3j3f
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L'}`

Subscriptions

Opnsense Core Opnsense

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-11T16:38:12.883Z

Updated: 2026-03-11T17:20:20.867Z

Reserved: 2026-03-05T21:27:35.343Z

Link: CVE-2026-30868

Vulnrichment

Updated: 2026-03-11T17:14:16.842Z

NVD

Status : Analyzed

Published: 2026-03-11T17:16:57.937

Modified: 2026-03-17T19:13:04.247

Link: CVE-2026-30868

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-20T15:30:26Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object