CVE-2026-30868
Published: 11 March 2026
Summary
CVE-2026-30868 is a medium-severity CSRF (CWE-352) vulnerability in Opnsense Opnsense. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Detects anomalous request patterns consistent with cross-site request forgery.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF flaw in public-facing OPNsense web API endpoints directly enables exploitation of a network-accessible application (T1190) to perform unauthorized state-changing actions; the required attack delivery is a malicious link visited by an authenticated user (T1204.001).
NVD Description
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state‑changing operations but are accessible via HTTP GET requests without CSRF protection. The framework CSRF validation in ApiControllerBase only applies to POST/PUT/DELETE…
more
methods, allowing authenticated GET requests to bypass CSRF verification. As a result, a malicious website can trigger privileged backend actions when visited by an authenticated user, causing unintended service reloads and configuration changes through configd. This results in an authenticated Cross‑Site Request Forgery vulnerability allowing unauthorized system state changes. This vulnerability is fixed in 26.1.4.
Deeper analysisAI
OPNsense, a FreeBSD-based firewall and routing platform, is affected by CVE-2026-30868 in versions prior to 26.1.4. The vulnerability stems from multiple MVC API endpoints that perform state-changing operations but are accessible via HTTP GET requests without CSRF protection. The framework's CSRF validation in ApiControllerBase applies only to POST, PUT, and DELETE methods, enabling authenticated GET requests to bypass verification and trigger privileged backend actions.
An attacker can exploit this authenticated Cross-Site Request Forgery (CSRF) vulnerability by luring an authenticated OPNsense user to visit a malicious website. The site can then issue GET requests to the vulnerable endpoints, causing unintended service reloads and configuration changes through configd, which leads to unauthorized system state changes. Exploitation requires low privileges and user interaction, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L).
The issue is addressed in OPNsense 26.1.4. Additional details are available in the GitHub Security Advisory at https://github.com/opnsense/core/security/advisories/GHSA-pp58-2qpc-3j3f.
Details
- CWE(s)