Oliverjueguen

**Name of the Vulnerable Software and Affected Versions** OPNsense versions prior to 26.1.4 **Description** OPNsense is a FreeBSD based firewall and routing platform. Multiple OPNsense MVC API endpoints perform state-changing operations but are accessible via HTTP GET requests without Cross-Site Request Forgery (CSRF) protection. The framework CSRF validation in `ApiControllerBase` only applies to POST, PUT, and DELETE methods, allowing authenticated GET requests to bypass CSRF verification. A malicious website can trigger privileged backend actions when visited by an authenticated user, causing unintended service reloads and configuration changes through `configd`. This results in an authenticated Cross-Site Request Forgery issue allowing unauthorized system state changes. The affected API endpoints are vulnerable due to the lack of CSRF protection on GET requests. The `configd` process is used for configuration changes. **Recommendations** Versions prior to 26.1.4 should be updated to version 26.1.4 or later.