Description
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading to Remote Code Execution. This vulnerability is fixed in 26.1.7.
Published: 2026-05-13
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An XMLRPC method named opnsense.restore_config_section in OPNsense, a FreeBSD-based firewall platform, does not sanitize user supplied input. This allows an attacker to craft a request that is executed as code on the host, resulting in untrusted code execution. The weakness corresponds to CWE-88, identifying it as a flaw in the XML parser that can lead to code execution.

Affected Systems

The affected vendor is OPNsense. The product in question is the core OPNsense platform. The vulnerability exists in all releases before version 26.1.7, which provides the first fix. Users running earlier releases are thus vulnerable.

Risk and Exploitability

The CVSS base score of 9.1 indicates a critical severity. No EPSS score is available, so the exploitation likelihood cannot be quantified from public data, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw resides in an XMLRPC endpoint, an attacker who can reach that service – for example through a management or public-facing connection – may be able to send crafted XML that is executed as system commands.

Generated by OpenCVE AI on May 13, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OPNsense to version 26.1.7 or later to apply the vendor patch.
  • Disable or restrict the XMLRPC service if it is not required for legitimate management purposes.
  • Monitor firewall logs for abnormal XMLRPC activity and investigate any suspicious requests.

Generated by OpenCVE AI on May 13, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Opnsense opnsense
CPEs cpe:2.3:a:opnsense:opnsense:*:*:*:*:*:*:*:*
Vendors & Products Opnsense opnsense

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Opnsense
Opnsense core
Vendors & Products Opnsense
Opnsense core

Wed, 13 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading to Remote Code Execution. This vulnerability is fixed in 26.1.7.
Title OPNsense: RCE via XMLRPC endpoint using `opnsense.restore_config_section` method
Weaknesses CWE-88
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Opnsense Core Opnsense
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-16T03:56:17.546Z

Reserved: 2026-05-05T15:13:47.570Z

Link: CVE-2026-44193

cve-icon Vulnrichment

Updated: 2026-05-14T16:03:41.951Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T22:16:43.533

Modified: 2026-05-15T17:30:03.117

Link: CVE-2026-44193

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T23:30:06Z

Weaknesses