Executive Summary

CVE-2026-30868 is an authenticated Cross-Site Request Forgery (CSRF) vulnerability in OPNsense versions prior to 26.1.4. It occurs because multiple OPNsense MVC API endpoints perform state-changing operations via HTTP GET requests without proper CSRF protection. The CSRF validation only applies to POST, PUT, and DELETE methods, allowing authenticated GET requests to bypass this protection.

As a result, a malicious website can cause an authenticated user to unknowingly trigger privileged backend actions such as service reloads and configuration changes through the configd daemon by simply visiting the malicious site. This can lead to unauthorized system state changes.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to cause unauthorized operational changes on an OPNsense system when the victim is authenticated. Specifically, it can trigger privileged backend actions such as:

• Reloading the Unbound DNSBL service and templates.
• Reconfiguring the Unbound DNS resolver and restarting the DHCP service.
• Reconfiguring network interfaces.
• Updating firewall bogon lists.

Although the vulnerability does not allow command injection, these unauthorized changes compromise system integrity by allowing attackers to manipulate firewall and network configurations without proper authorization.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for HTTP GET requests to specific OPNsense MVC API endpoints that perform state-changing operations without CSRF protection. Confirmed vulnerable endpoints include:'}, {'type': 'list_item', 'content': 'GET /api/unbound/service/dnsbl'}, {'type': 'list_item', 'content': 'GET /api/unbound/service/reconfigure_general'}, {'type': 'list_item', 'content': 'GET /api/interfaces/overview/reload_interface/<identifier>'}, {'type': 'list_item', 'content': 'GET /api/firewall/alias_util/update_bogons'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can use network monitoring tools or web server logs to search for GET requests to these endpoints from authenticated users. For example, using command-line tools on the OPNsense system or a proxy, you might run commands like:'}, {'type': 'list_item', 'content': "grep 'GET /api/unbound/service/dnsbl' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': "grep 'GET /api/unbound/service/reconfigure_general' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': "grep 'GET /api/interfaces/overview/reload_interface' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': "grep 'GET /api/firewall/alias_util/update_bogons' /var/log/nginx/access.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual service reloads or configuration changes triggered by these endpoints may indicate exploitation.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Upgrade OPNsense to version 26.1.4 or later, where this vulnerability is fixed.
• Enforce that state-changing API endpoints only accept POST requests and return HTTP 405 Method Not Allowed for GET requests.
• Maintain existing CSRF validation for POST, PUT, and DELETE methods.
• Optionally, implement Origin and Referer header validation for additional defense in depth.

Until the patch is applied, restrict access to the API endpoints to trusted users and networks, and monitor for suspicious GET requests to the vulnerable endpoints.

Useful 0 Not Useful 0