CVE-2026-30868

Name of the Vulnerable Software and Affected Versions OPNsense versions prior to 26.1.4

Description OPNsense is a FreeBSD based firewall and routing platform. Multiple OPNsense MVC API endpoints perform state-changing operations but are accessible via HTTP GET requests without Cross-Site Request Forgery (CSRF) protection. The framework CSRF validation in ApiControllerBase only applies to POST, PUT, and DELETE methods, allowing authenticated GET requests to bypass CSRF verification. A malicious website can trigger privileged backend actions when visited by an authenticated user, causing unintended service reloads and configuration changes through configd. This results in an authenticated Cross-Site Request Forgery issue allowing unauthorized system state changes. The affected API endpoints are vulnerable due to the lack of CSRF protection on GET requests. The configd process is used for configuration changes.

Recommendations Versions prior to 26.1.4 should be updated to version 26.1.4 or later.