CVE-2026-30868

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state‑changing operations but are accessible via HTTP GET requests without CSRF protection. The framework CSRF validation in ApiControllerBase only applies to POST/PUT/DELETE methods, allowing authenticated GET requests to bypass CSRF verification. As a result, a malicious website can trigger privileged backend actions when visited by an authenticated user, causing unintended service reloads and configuration changes through configd. This results in an authenticated Cross‑Site Request Forgery vulnerability allowing unauthorized system state changes. This vulnerability is fixed in 26.1.4.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/opnsense/core/security/advisories/GHSA-pp58-2qpc-3j3f	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:opnsense:opnsense:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-11 17:16

Updated : 2026-03-17 19:13

NVD link : CVE-2026-30868

Mitre link : CVE-2026-30868

CVE.ORG link : CVE-2026-30868

JSON object : View

Products Affected

opnsense

opnsense

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2026-30868", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2026-03-11T17:16:57.937", "references": [{"url": "https://github.com/opnsense/core/security/advisories/GHSA-pp58-2qpc-3j3f", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state\u2011changing operations but are accessible via HTTP GET requests without CSRF protection. The framework CSRF validation in ApiControllerBase only applies to POST/PUT/DELETE methods, allowing authenticated GET requests to bypass CSRF verification. As a result, a malicious website can trigger privileged backend actions when visited by an authenticated user, causing unintended service reloads and configuration changes through configd. This results in an authenticated Cross\u2011Site Request Forgery vulnerability allowing unauthorized system state changes. This vulnerability is fixed in 26.1.4."}, {"lang": "es", "value": "OPNsense es una plataforma de cortafuegos y enrutamiento basada en FreeBSD. Antes de la versi\u00f3n 26.1.4, m\u00faltiples puntos finales de la API MVC de OPNsense realizan operaciones que cambian el estado, pero son accesibles a trav\u00e9s de solicitudes HTTP GET sin protecci\u00f3n CSRF. La validaci\u00f3n CSRF del framework en ApiControllerBase solo se aplica a los m\u00e9todos POST/PUT/DELETE, permitiendo que las solicitudes GET autenticadas omitan la verificaci\u00f3n CSRF. Como resultado, un sitio web malicioso puede desencadenar acciones privilegiadas en el backend cuando es visitado por un usuario autenticado, causando recargas de servicio y cambios de configuraci\u00f3n no deseados a trav\u00e9s de configd. Esto resulta en una vulnerabilidad de falsificaci\u00f3n de solicitud entre sitios (Cross-Site Request Forgery) autenticada que permite cambios de estado del sistema no autorizados. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 26.1.4."}], "lastModified": "2026-03-17T19:13:04.247", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:opnsense:opnsense:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "03190C55-5F46-4CD4-944C-B7CA5BCC77F9", "versionEndExcluding": "26.1.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}