CVE-2026-30868

MEDIUM 6.3

Cross-Site Request Forgery (CSRF) in opnsense/core

CVSS Score

6.3

EPSS Score

0.0%

EPSS Percentile

0th

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state‑changing operations but are accessible via HTTP GET requests without CSRF protection. The framework CSRF validation in ApiControllerBase only applies to POST/PUT/DELETE methods, allowing authenticated GET requests to bypass CSRF verification. As a result, a malicious website can trigger privileged backend actions when visited by an authenticated user, causing unintended service reloads and configuration changes through configd. This results in an authenticated Cross‑Site Request Forgery vulnerability allowing unauthorized system state changes. This vulnerability is fixed in 26.1.4.

CWE	CWE-352
Vendor	opnsense
Product	core
Published	Mar 11, 2026
Last Updated	Mar 11, 2026

Stay Ahead of the Next One

Get instant alerts for opnsense core

Be the first to know when new medium vulnerabilities affecting opnsense core are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Affected Versions

opnsense / core

< 26.1.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/opnsense/core/security/advisories/GHSA-pp58-2qpc-3j3f