PT-2026-40828 · Opnsense · Opnsense
Published
2026-05-13
·
Updated
2026-05-14
·
CVE-2026-44195
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
OPNsense versions prior to 26.1.7
Description
A logic flaw in the
lockout handler allows an unauthenticated attacker to continuously reset the authentication failure counter for their IP address. By interjecting a crafted username containing a success keyword such as "Accepted" or "Successful login" between normal brute-force attempts, an attacker can prevent the failure counter from reaching the lockout threshold.Recommendations
Update to version 26.1.7.
Exploit
Fix
Improper Restriction of Excessive Authentication Attempts
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Opnsense