Description
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user with user-management privileges to execute arbitrary system commands as root. An attacker can bypass input validation by formatting their malicious payload as a compliant email address, allowing shell commands to reach the underlying operating system. The flaw exists in the local user synchronization flow, within core/src/opnsense/scripts/auth/sync_user.php. This vulnerability is fixed in 26.1.8.
Published: 2026-05-13
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user with privileges to manage other users in OPNsense can inject arbitrary system commands through the user management interface. By submitting a payload that masquerades as a valid email address, the attacker bypasses input validation, causing the underlying operating system to execute shell commands. This flaw is an instance of OS Command Injection (CWE-78) and poses a complete compromise of the device, allowing full root-level control.

Affected Systems

The vulnerability affects the OPNsense firewall and routing platform, specifically the core component before version 26.1.8. Users running any pre‑26.1.8 build of OPNsense are potentially exposed. The flaw resides in the local user synchronization script located in the path core/src/opnsense/scripts/auth/sync_user.php.

Risk and Exploitability

With a CVSS score of 9.1 the vulnerability is rated as critical, indicating a high impact if exploited. The EPSS score is not available, but the lack of listing in CISA KEV does not diminish the inherent risk. The exploit requires authentication and user‑management rights, which limits the attack surface to authorized administrators or compromised accounts. If an attacker gains such privileges, the command injection can be used to spawn a reverse shell or install persistence mechanisms, leading to full device takeover. Hence, the risk remains high until the issue is remedied.

Generated by OpenCVE AI on May 13, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OPNsense 26.1.8 or later, which removes the command injection code in sync_user.php.
  • If an update cannot be applied immediately, disable the user‑management feature or lock all accounts that have user‑management privileges until the patch is applied.
  • Enforce strict least‑privilege controls so that only trusted administrators can create or modify users, and enable logging for all user‑management actions.
  • Review authentication and user‑creation logs for suspicious activity and consider isolating the device from external networks until remediation is complete.

Generated by OpenCVE AI on May 13, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Opnsense opnsense
CPEs cpe:2.3:a:opnsense:opnsense:*:*:*:*:*:*:*:*
Vendors & Products Opnsense opnsense

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Opnsense
Opnsense core
Vendors & Products Opnsense
Opnsense core

Wed, 13 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user with user-management privileges to execute arbitrary system commands as root. An attacker can bypass input validation by formatting their malicious payload as a compliant email address, allowing shell commands to reach the underlying operating system. The flaw exists in the local user synchronization flow, within core/src/opnsense/scripts/auth/sync_user.php. This vulnerability is fixed in 26.1.8.
Title OPNsense: RCE on user managment
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Opnsense Core Opnsense
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-19T03:55:23.384Z

Reserved: 2026-05-05T15:13:47.570Z

Link: CVE-2026-44194

cve-icon Vulnrichment

Updated: 2026-05-14T15:57:19.255Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T22:16:43.673

Modified: 2026-05-15T17:19:46.990

Link: CVE-2026-44194

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T00:30:07Z

Weaknesses