CVE-2026-44194

Name of the Vulnerable Software and Affected Versions OPNsense versions prior to 26.1.8

Description An authenticated Remote Code Execution issue in the core of this FreeBSD-based firewall and routing platform allows a user with user-management privileges to execute arbitrary system commands as root. The flaw is located in the local user synchronization flow within the file core/src/opnsense/scripts/auth/sync user.php. An attacker can bypass input validation by formatting a malicious payload as a compliant email address, enabling shell commands to reach the underlying operating system.

Recommendations Update to version 26.1.8.