CVE-2026-30868
Published: 11 March 2026
Summary
CVE-2026-30868 is a medium-severity CSRF (CWE-352) vulnerability in Opnsense Opnsense. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-3 (Access Enforcement).
Deeper analysis
OPNsense, a FreeBSD-based firewall and routing platform, is affected by CVE-2026-30868 in versions prior to 26.1.4. The vulnerability stems from multiple MVC API endpoints that perform state-changing operations but are accessible via HTTP GET requests without CSRF protection. The framework's CSRF validation in ApiControllerBase applies only to POST, PUT, and DELETE methods, enabling authenticated GET requests to bypass verification and trigger privileged backend actions.
An attacker can exploit this authenticated Cross-Site Request Forgery (CSRF) vulnerability by luring an authenticated OPNsense user to visit a malicious website. The site can then issue GET requests to the vulnerable endpoints, causing unintended service reloads and configuration changes through configd, which leads to unauthorized system state changes. Exploitation requires low privileges and user interaction, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L).
The issue is addressed in OPNsense 26.1.4. Additional details are available in the GitHub Security Advisory at https://github.com/opnsense/core/security/advisories/GHSA-pp58-2qpc-3j3f.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11238
Vulnerability details
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state‑changing operations but are accessible via HTTP GET requests without CSRF protection. The framework CSRF validation in ApiControllerBase only applies to POST/PUT/DELETE…
more
methods, allowing authenticated GET requests to bypass CSRF verification. As a result, a malicious website can trigger privileged backend actions when visited by an authenticated user, causing unintended service reloads and configuration changes through configd. This results in an authenticated Cross‑Site Request Forgery vulnerability allowing unauthorized system state changes. This vulnerability is fixed in 26.1.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSRF flaw in public-facing OPNsense web API endpoints directly enables exploitation of a network-accessible application (T1190) to perform unauthorized state-changing actions; the required attack delivery is a malicious link visited by an authenticated user (T1204.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires protection of session authenticity, which the missing CSRF token validation on GET requests violates.
Requires validation of all inputs including HTTP method and anti-CSRF tokens before performing state-changing operations.
Enforces that privileged configd actions are only executed on properly authorized (non-forged) requests from authenticated users.