Cyber Resilience

CVE-2026-30868

MediumPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L
EPSS Score 0.0014 3.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-30868 is a medium-severity CSRF (CWE-352) vulnerability in Opnsense Opnsense. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-3 (Access Enforcement).

Deeper analysis

OPNsense, a FreeBSD-based firewall and routing platform, is affected by CVE-2026-30868 in versions prior to 26.1.4. The vulnerability stems from multiple MVC API endpoints that perform state-changing operations but are accessible via HTTP GET requests without CSRF protection. The framework's CSRF validation in ApiControllerBase applies only to POST, PUT, and DELETE methods, enabling authenticated GET requests to bypass verification and trigger privileged backend actions.

An attacker can exploit this authenticated Cross-Site Request Forgery (CSRF) vulnerability by luring an authenticated OPNsense user to visit a malicious website. The site can then issue GET requests to the vulnerable endpoints, causing unintended service reloads and configuration changes through configd, which leads to unauthorized system state changes. Exploitation requires low privileges and user interaction, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L).

The issue is addressed in OPNsense 26.1.4. Additional details are available in the GitHub Security Advisory at https://github.com/opnsense/core/security/advisories/GHSA-pp58-2qpc-3j3f.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state‑changing operations but are accessible via HTTP GET requests without CSRF protection. The framework CSRF validation in ApiControllerBase only applies to POST/PUT/DELETE…

more

methods, allowing authenticated GET requests to bypass CSRF verification. As a result, a malicious website can trigger privileged backend actions when visited by an authenticated user, causing unintended service reloads and configuration changes through configd. This results in an authenticated Cross‑Site Request Forgery vulnerability allowing unauthorized system state changes. This vulnerability is fixed in 26.1.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

The CSRF flaw in public-facing OPNsense web API endpoints directly enables exploitation of a network-accessible application (T1190) to perform unauthorized state-changing actions; the required attack delivery is a malicious link visited by an authenticated user (T1204.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44193Same product: Opnsense Opnsense
CVE-2026-45158Same product: Opnsense Opnsense
CVE-2026-44194Same product: Opnsense Opnsense
CVE-2026-34578Same product: Opnsense Opnsense
CVE-2025-50989Same product: Opnsense Opnsense
CVE-2025-70031Shared CWE-352
CVE-2025-23902Shared CWE-352
CVE-2026-34384Shared CWE-352
CVE-2025-23880Shared CWE-352
CVE-2025-30550Shared CWE-352

Affected Assets

opnsense
opnsense
≤ 26.1.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires protection of session authenticity, which the missing CSRF token validation on GET requests violates.

prevent

Requires validation of all inputs including HTTP method and anti-CSRF tokens before performing state-changing operations.

prevent

Enforces that privileged configd actions are only executed on properly authorized (non-forged) requests from authenticated users.

References