Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
CVE-2026-44194: OPNsense: Unauthenticated Users Can Run System Commands as Root
CVE-2026-44194
Summary
OPNsense users with certain privileges can run system commands with root access, which could allow an attacker to gain control of the system. This is a serious issue because it allows an attacker to make changes to the system or steal sensitive information. To protect yourself, update to version 26.1.8 or later.
Original title
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user with user-management privil...
Original description
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user with user-management privileges to execute arbitrary system commands as root. An attacker can bypass input validation by formatting their malicious payload as a compliant email address, allowing shell commands to reach the underlying operating system. The flaw exists in the local user synchronization flow, within core/src/opnsense/scripts/auth/sync_user.php. This vulnerability is fixed in 26.1.8.
nvd CVSS3.1
9.1
Vulnerability type
CWE-78
OS Command Injection
Published: 13 May 2026 · Updated: 30 May 2026 · First seen: 13 May 2026