CVE-2026-44194

Published May 13, 2026

Last updated 5 days ago

CVSS critical 9.1

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-44194 is an authenticated Remote Code Execution (RCE) vulnerability affecting OPNsense, a FreeBSD-based firewall and routing platform, in versions prior to 26.1.8. This flaw allows a user with user-management privileges to execute arbitrary system commands as root. The vulnerability stems from a bypass of input validation within the local user synchronization flow, specifically in the `core/src/opnsense/scripts/auth/sync_user.php` script. An attacker can craft a malicious payload disguised as a compliant email address, which then enables the execution of shell commands on the underlying operating system. The issue is resolved in OPNsense version 26.1.8.

Description
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user with user-management privileges to execute arbitrary system commands as root. An attacker can bypass input validation by formatting their malicious payload as a compliant email address, allowing shell commands to reach the underlying operating system. The flaw exists in the local user synchronization flow, within core/src/opnsense/scripts/auth/sync_user.php. This vulnerability is fixed in 26.1.8.
Source
security-advisories@github.com
NVD status
Analyzed
Products
opnsense

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.1
Impact score
6
Exploitability score
2.3
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-78

Social media

Hype score
Not currently trending

  1. CVE-2026-44194 & CVE-2026-45158: Two RCE vulnerabilities in OPNsense, 9.1 rating 🔥 Two vulnerabilities in OPNsense allows an authenticated attacker to execute arbitrary code as root on the firewall host via User management system (CVE-2026-44194) and DHCP Config https://t

    @Netlas_io

    15 May 2026

    2555 Impressions

    10 Retweets

    34 Likes

    11 Bookmarks

    2 Replies

    0 Quotes

  2. OPNsenseに重大(Critical)な脆弱性2件。CVE-2026-44194はWebインターフェースのユーザ名にメールアドレスを指定した際のOSコマンドインジェクション。CVE-2026-45158はDHCP構成からのOSコマンドインジェクション。いずれも

    @__kokumoto

    14 May 2026

    300 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Public PoC for OPNsense CVE-2026-44194 and CVE-2026-45158. Critical flaws allow root command execution via DHCP and User sync. Update to 26.1.8 now! #OPNsense #CyberSecurity #InfoSec #RCE #VulnerabilityAlert #CVE #Firewall #OpenSource #RootExploit #PoC https://t.co/BfnGvOtwTS ht

    @the_yellow_fall

    14 May 2026

    818 Impressions

    5 Retweets

    12 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is processed by a shell script, allowing remote code execution as root on the underlying operating system. This vulnerability is fixed in 26.1.8.CVE-2026-45158
  2. OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockout_handler allows an unauthenticated attacker to continuously reset the authentication failure counter for their IP address. By interjecting a crafted username containing a success keyword ("Accepted" or "Successful login") between normal brute-force attempts, an attacker can prevent the failure counter from ever reaching the lockout threshold. This vulnerability is fixed in 26.1.7.CVE-2026-44195
  3. OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading to Remote Code Execution. This vulnerability is fixed in 26.1.7.CVE-2026-44193
  4. OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6.CVE-2026-34578
  5. OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state‑changing operations but are accessible via HTTP GET requests without CSRF protection. The framework CSRF validation in ApiControllerBase only applies to POST/PUT/DELETE methods, allowing authenticated GET requests to bypass CSRF verification. As a result, a malicious website can trigger privileged backend actions when visited by an authenticated user, causing unintended service reloads and configuration changes through configd. This results in an authenticated Cross‑Site Request Forgery vulnerability allowing unauthorized system state changes. This vulnerability is fixed in 26.1.4.CVE-2026-30868

References

Sources include official advisories and independent security research.