What is the CVSS score of CVE-2026-44193?

CVE-2026-44193 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of OPNsense are affected by CVE-2026-44193?

OPNsense firewalls running versions prior to 26.1.7 contain a critical remote code execution vulnerability in the XMLRPC management interface, accessible only to authenticated high-privileged users.. A patch is available.

How to fix or mitigate CVE-2026-44193?

24 hours: Identify all OPNsense deployments and document current versions; review administrator credential security and access logs for anomalies. 7 days: Deploy OPNsense 26.1.7 or later to all affected systems and validate successful patch installation. 30 days: Complete forensic audit of administrative access logs and implement multi-factor authentication for administrative interfaces.

OPNsense CVE-2026-44193

EUVD-2026-30183 CRITICAL

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)

2026-05-13 security-advisories@github.com

RCE Opnsense

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 08, 2026 - 08:21 vuln.today

Patch available

May 13, 2026 - 23:17 EUVD

DescriptionGitHub Advisory

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading to Remote Code Execution. This vulnerability is fixed in 26.1.7.

AnalysisAI

Remote code execution in OPNsense firewall versions prior to 26.1.7 allows authenticated high-privileged users to execute arbitrary code via the opnsense.restore_config_section XMLRPC method, which fails to sanitize user-supplied input. The flaw carries a CVSS 9.1 with scope change and total impact, and while publicly available exploit code exists per SSVC, EPSS rates real-world exploitation probability at only 0.23%, suggesting niche rather than mass-scale risk. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain admin or HA-sync credentials

Delivery

Reach OPNsense XMLRPC endpoint over network

Exploit

Send crafted opnsense.restore_config_section call

Execution

Argument injection in unsanitized config payload

Persist

Execute arbitrary OS commands on firewall

Impact

Pivot into protected network segments

Access

Obtain admin or HA-sync credentials

Delivery

Reach OPNsense XMLRPC endpoint over network

Exploit

Send crafted opnsense.restore_config_section call

Execution

Argument injection in unsanitized config payload

Persist

Execute arbitrary OS commands on firewall

Impact

Pivot into protected network segments

Vulnerability AssessmentAI

Exploitation	Exploitation requires network reach to the OPNsense XMLRPC endpoint (typically used for High Availability config synchronization or admin tooling) AND high-privilege credentials valid for that interface (CVSS PR:H) - practically, this means the system admin password or the HA sync password. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Risk signals are mixed and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has obtained high-privilege credentials for the OPNsense admin or HA sync XMLRPC interface - for example via credential theft, a compromised HA peer, or a leaked sync password - sends a crafted XMLRPC call to opnsense.restore_config_section containing unsanitized payload fragments. The malformed configuration section is processed without proper neutralization and injects attacker-controlled arguments into a downstream command, yielding arbitrary OS-level code execution on the firewall (publicly available exploit code exists per SSVC poc rating).
Remediation	Upgrade to OPNsense 26.1.7 or later, which is the vendor-released patch fixing input sanitization in the opnsense.restore_config_section XMLRPC handler; details are in the upstream advisory at https://github.com/opnsense/core/security/advisories/GHSA-xxp9-93cr-x54p. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all OPNsense deployments and document current versions; review administrator credential security and access logs for anomalies. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-44193 vulnerability details – vuln.today

Back

OPNsense CVE-2026-44193

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code