What is the CVSS score of CVE-2026-30868?

CVE-2026-30868 has a CVSS 3.1 base score of 6.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Opnsense are affected by CVE-2026-30868?

Organizations using OPNsense should be aware of moderate risk from CVE-2026-30868, a cross-site request forgery vulnerability rated CVSS 6.3.

Opnsense CVE-2026-30868

MEDIUM

Cross-Site Request Forgery (CSRF) (CWE-352)

2026-03-11 security-advisories@github.com

CSRF Opnsense

6.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.3 MEDIUM

AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 11, 2026 - 17:16 nvd

MEDIUM 6.3

DescriptionGitHub Advisory

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state‑changing operations but are accessible via HTTP GET requests without CSRF protection. The framework CSRF validation in ApiControllerBase only applies to POST/PUT/DELETE methods, allowing authenticated GET requests to bypass CSRF verification. As a result, a malicious website can trigger privileged backend actions when visited by an authenticated user, causing unintended service reloads and configuration changes through configd. This results in an authenticated Cross‑Site Request Forgery vulnerability allowing unauthorized system state changes. This vulnerability is fixed in 26.1.4.

AnalysisAI

OPNsense prior to version 26.1.4 contains a CSRF vulnerability where state-changing API endpoints accept HTTP GET requests without proper anti-CSRF protections, allowing authenticated users to be tricked into triggering unintended system operations. An attacker can craft a malicious website that, when visited by an authenticated OPNsense administrator, performs unauthorized configuration changes or service reloads through the vulnerable endpoints. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	CVSS 6.3 (MEDIUM). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker without authentication could exploit this flaw, an authenticated Cross‑Site Request Forgery vulnerability al.
Remediation	Fixed in version 26.1.4.. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-30868 vulnerability details – vuln.today

Back