Skip to main content

OPNsense CVE-2026-44195

| EUVD-2026-30185 MEDIUM
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-05-13 security-advisories@github.com
Information Disclosure Opnsense
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 10:45 vuln.today
Patch available
May 13, 2026 - 23:17 EUVD

DescriptionGitHub Advisory

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockout_handler allows an unauthenticated attacker to continuously reset the authentication failure counter for their IP address. By interjecting a crafted username containing a success keyword ("Accepted" or "Successful login") between normal brute-force attempts, an attacker can prevent the failure counter from ever reaching the lockout threshold. This vulnerability is fixed in 26.1.7.

AnalysisAI

Brute-force lockout bypass in OPNsense prior to 26.1.7 allows unauthenticated remote attackers to indefinitely circumvent the authentication failure counter, enabling unlimited credential guessing against any network-accessible login endpoint. The flaw resides in the lockout_handler logic, which interprets attacker-controlled username strings containing the keywords 'Accepted' or 'Successful login' as success signals and resets the IP-based failure counter. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed OPNsense management interface
Delivery
Send crafted username containing 'Accepted' keyword
Exploit
lockout_handler resets failure counter for attacker IP
Execution
Resume brute-force credential attempts without lockout
Persist
Guess valid administrative credentials
Impact
Gain authenticated access to firewall administration
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No special configuration is required beyond network reachability of the OPNsense authentication endpoint (web management UI or SSH). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Despite a moderate CVSS base score of 5.3, the real-world risk to internet-facing OPNsense deployments is meaningfully elevated by several converging signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an internet-facing OPNsense firewall with its management web interface or SSH exposed. They initiate an automated credential-stuffing or dictionary attack, but between each failed login attempt, they submit a login request using a crafted username string such as 'Accepted' or 'Successful login', which causes the lockout_handler to reset the failure counter for the attacker's IP. …
Remediation Upgrade OPNsense core to version 26.1.7 or later, which contains the vendor-released fix as confirmed by the GitHub Security Advisory GHSA-h3vx-4q27-rc42. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44195 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy