OPNsense Firewall and Routing Platform Allows Unauthorized Configuration Changes

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.3

OPNsense Firewall and Routing Platform Allows Unauthorized Configuration Changes

CVE-2026-30868

Summary

OPNsense's web interface allows a malicious website to change firewall and network settings if visited by a logged-in user. This is a serious issue because it can disrupt network services and make unauthorized changes to system settings. To fix this, update to OPNsense version 26.1.4 or later.

Original title

Original description

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state‑changing operations but are accessible via HTTP GET requests without CSRF protection. The framework CSRF validation in ApiControllerBase only applies to POST/PUT/DELETE methods, allowing authenticated GET requests to bypass CSRF verification. As a result, a malicious website can trigger privileged backend actions when visited by an authenticated user, causing unintended service reloads and configuration changes through configd. This results in an authenticated Cross‑Site Request Forgery vulnerability allowing unauthorized system state changes. This vulnerability is fixed in 26.1.4.

nvd CVSS3.1 6.3

Vulnerability type

CWE-352 Cross-Site Request Forgery (CSRF)

https://github.com/opnsense/core/security/advisories/GHSA-pp58-2qpc-3j3f

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026