CSRF in Opnsense Core
CVE-2026-30868
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state‑changing operations but are accessible via HTTP GET requests without CSRF protection. The framework CSRF validati…
Vulnerability class: CSRF (Cross-Site Request Forgery)
EPSS: 0.000 (6.7th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L.
Affected products
- Opnsense Core — versions < 26.1.4
Weakness classification (CWE)
References
- https://github.com/opnsense/core/security/advisories/GHSA-pp58-2qpc-3j3f (x_refsource_CONFIRM)
Frequently asked questions
- What is CVE-2026-30868?
- CVE-2026-30868 is a medium-severity vulnerability in Opnsense Core, classified under Cross-Site Request Forgery (CSRF). CVSS score: 6.3/10. Published 2026-03-11.
- How severe is CVE-2026-30868?
- Medium severity. CVSS v3 base score is 6.3 out of 10.