CVE-2026-30868HIGH 8.1EPSS p3.9%

CVE-2026-30868CVE-2026-30868

Description

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state‑changing operations but are accessible via HTTP GET requests without CSRF protection. The framework CSRF validation in ApiControllerBase only applies to POST/PUT/DELETE methods, allowing authenticated GET requests to bypass CSRF verification. As a result, a malicious website can trigger privileged backend actions when visited by an authenticated user, causing unintended service reloads and configuration changes through configd. This results in an authenticated Cross‑Site Request Forgery vulnerability allowing unauthorized system state changes. This vulnerability is fixed in 26.1.4.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
EPSS0.14% probability of exploitation · percentile 3.9% · 2026-06-19T12:03:05Z
Published2026-03-11
Last modified2026-03-17

Underlying weaknesses· 1

CWE-352

References

  1. https://github.com/opnsense/core/security/advisories/GHSA-pp58-2qpc-3j3f

1

TypeTargetConfidenceTier
WeaknessCross-Site Request Forgery (CSRF)cwe-3520%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-44193
CVE
CVE-2026-45158
CVE
CVE-2026-34578
CVE
CVE-2026-44194
CVE
CVE-2025-50989
CVE
CVE-2026-27841
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.