Cross-Site Request Forgery Vulnerability in OPNsense Firewall and Routing Platform
CVE-2026-30868

6.3MEDIUM

Key Information:

Vendor

Opnsense

Status
Core
Vendor
CVE Published:
11 March 2026

What is CVE-2026-30868?

OPNsense, a FreeBSD-based firewall and routing platform, is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability. This flaw arises from several MVC API endpoints not enforcing CSRF protection for state-changing operations when accessed via HTTP GET requests. Vulnerable versions prior to 26.1.4 fail to apply CSRF validation in the ApiControllerBase framework for GET requests, allowing attackers to exploit this weakness. If an authenticated user visits a malicious website, it can execute privileged operations such as service reloads and configuration changes unnoticed. This vulnerability poses a significant risk as it enables unauthorized changes to system states within the firewall.

Affected Version(s)

core < 26.1.4

References

https://github.com/opnsense/core/security/advisories/GHSA...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.