CVE-2026-45158 - Vulnerability Details

- OPNsense: Command Injection via Attacker-Controlled DHCP Config

Description

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is processed by a shell script, allowing remote code execution as root on the underlying operating system. This vulnerability is fixed in 26.1.8.

Published: 2026-05-13

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Prior to release 26.1.8, user input directed at the DHCP configuration of an interface in OPNsense is forwarded without sanitization to a shell script that processes the configuration. This unsanitized data can be crafted by an attacker to execute arbitrary shell commands with root privileges on the underlying FreeBSD operating system, giving full control over the device. The vulnerability is classified as CWE-88, indicating a command injection flaw. The impact thus spans all confidentiality, integrity, and availability aspects of the impacted system.

Affected Systems

The affected product is OPNsense core. All instances running a version earlier than 26.1.8 are potentially vulnerable. No additional vendor or product list is available beyond the core package.

Risk and Exploitability

The CVSS score of 9.1 places this flaw in the high- to critical‑risk category. Although the EPSS value is not reported, the lack of a KEV listing suggests no confirmed public exploits are available yet. The attack vector is likely remote, requiring the attacker to have network access that permits sending specially crafted DHCP configuration commands to the OPNsense box. Based on the description, it is inferred that the attacker could trigger the vulnerability by manipulating DHCP traffic directed at the device’s interface. Should the system expose the DHCP configuration interface to external networks or lack proper authentication, exploitation feasibility rises significantly. Administrators should treat this as a high‑risk vulnerability requiring prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

opnsense

core

affected

Version	Status	Constraints
`< 26.1.8`	affected	—

Configuration 1 [-]

cpe:2.3:a:opnsense:opnsense:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Opnsense

Core

100%

Version	Status	Scheme	Platform
`[0,26.1.8)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OPNsense to version 26.1.8 or newer, which fixes the command injection issue.
Restrict access to the DHCP configuration interface to trusted hosts and network segments to limit exposure to potential attackers.
Enable logging and monitor for unexpected DHCP configuration changes or suspicious shell activity to detect exploitation attempts early.

Generated by OpenCVE AI on May 13, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00305.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/opnsense/core/security/advisories/GHSA-5rx3-w735-74wm

History

Fri, 15 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opnsense opnsense
CPEs		cpe:2.3:a:opnsense:opnsense::::::::
Vendors & Products		Opnsense opnsense

Thu, 14 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 14 May 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opnsense Opnsense core
Vendors & Products		Opnsense Opnsense core

Wed, 13 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is processed by a shell script, allowing remote code execution as root on the underlying operating system. This vulnerability is fixed in 26.1.8.
Title		OPNsense: Command Injection via Attacker-Controlled DHCP Config
Weaknesses		CWE-88
References		https://github.com/opnsense/core/security/advisories/GHSA-5rx3-w735-74wm
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Opnsense Core Opnsense

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-13T21:54:31.679Z

Updated: 2026-05-14T12:22:09.189Z

Reserved: 2026-05-08T20:44:38.964Z

Link: CVE-2026-45158

Vulnrichment

Updated: 2026-05-14T12:22:05.971Z

NVD

Status : Analyzed

Published: 2026-05-13T22:16:46.363

Modified: 2026-05-15T16:19:38.600

Link: CVE-2026-45158

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T00:00:07Z

Weaknesses

CWE-88

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object