EXECUTIVE SUMMARY:
Two security vulnerabilities have been discovered in OPNsense, an open-source firewall solution, which poses a significant threat to its users. These vulnerabilities are classified as remote code execution (RCE) and can be exploited by an attacker to gain root access, leading to total system compromise. This poses a substantial business risk, as a successful attack can result in financial loss, damage to reputation, and compromised sensitive data. The disclosure of proof-of-concept (PoC) exploit code further exacerbates the situation, making it easier for attackers to weaponize these flaws against unpatched systems. CVE-2026-44194 with a CVSS score of 9.1 – This vulnerability targets the OPNsense user management system, allowing an attacker to bypass input validation by crafting a malicious email address with shell metacharacters. The system then passes the username directly into a shell command, resulting in arbitrary command execution as root. CVE-2026-45158 with a CVSS score of 9.0 – This vulnerability targets the way OPNsense handles DHCP configurations on system interfaces. A user with "page-interfaces" privileges can enable DHCP on an interface and set a custom hostname, which is later written into a configuration file without being sanitized. When the system processes this configuration through a shell script, an attacker can provide a hostname embedded with commands, granting the attacker a remote root shell.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Two security vulnerabilities have been discovered in OPNsense, an open-source firewall solution, which poses a significant threat to its users. These vulnerabilities are classified as remote code execution (RCE) and can be exploited by an attacker to gain root access, leading to total system compromise. This poses a substantial business risk, as a successful attack can result in financial loss, damage to reputation, and compromised sensitive data. The disclosure of proof-of-concept (PoC) exploit code further exacerbates the situation, making it easier for attackers to weaponize these flaws against unpatched systems. CVE-2026-44194 with a CVSS score of 9.1 – This vulnerability targets the OPNsense user management system, allowing an attacker to bypass input validation by crafting a malicious email address with shell metacharacters. The system then passes the username directly into a shell command, resulting in arbitrary command execution as root. CVE-2026-45158 with a CVSS score of 9.0 – This vulnerability targets the way OPNsense handles DHCP configurations on system interfaces. A user with "page-interfaces" privileges can enable DHCP on an interface and set a custom hostname, which is later written into a configuration file without being sanitized. When the system processes this configuration through a shell script, an attacker can provide a hostname embedded with commands, granting the attacker a remote root shell.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update OPNsense to version 26.1.8 or later.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/opnsense-critical-root-rce-cve-2026-44194-poc-disclosure/