Remote Code Execution Vulnerability in OPNsense Firewall by Deciso
CVE-2026-45158

9.1CRITICAL

Key Information:

Vendor: Opnsense
Status: Core
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-45158?

OPNsense, a FreeBSD based firewall and routing platform developed by Deciso, is exposed to a remote code execution vulnerability due to unsanitized user input passed to the DHCP configuration. This flaw, which resides in a shell script, allows attackers to execute arbitrary commands with root privileges on the underlying operating system. The issue has been successfully patched in version 26.1.8, and users are strongly advised to update their installations to mitigate potential security risks.

Affected Version(s)

core < 26.1.8

References

https://github.com/opnsense/core/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45158 Data

JSON

Opnsense

What is CVE-2026-45158?

Affected Version(s)

References

CVSS V3.1

Timeline