What is the CVSS score of CVE-2026-45158?

CVE-2026-45158 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of OPNsense are affected by CVE-2026-45158?

OPNsense firewall deployments running versions before 26.1.8 are vulnerable to remote code execution as root by authenticated administrators.. A patch is available.

How to fix or mitigate CVE-2026-45158?

Within 24 hours: Audit all OPNsense instances to identify versions prior to 26.1.8; implement MFA for administrative access if not already in place. Within 7 days: Apply security patch to OPNsense version 26.1.8 or later on all vulnerable instances. Within 30 days: Review and strengthen administrative credential management practices; audit logs for unauthorized administrative activity during the pre-patch period.

OPNsense CVE-2026-45158

EUVD-2026-30202 CRITICAL

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)

2026-05-13 security-advisories@github.com

RCE Opnsense

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 08, 2026 - 08:27 vuln.today

Patch available

May 13, 2026 - 23:17 EUVD

DescriptionGitHub Advisory

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is processed by a shell script, allowing remote code execution as root on the underlying operating system. This vulnerability is fixed in 26.1.8.

AnalysisAI

Remote code execution in OPNsense firewall (core versions prior to 26.1.8) allows authenticated administrators to execute arbitrary commands as root by injecting shell metacharacters into DHCP interface configuration fields that are passed unsanitized to an underlying shell script. The flaw carries a 9.1 CVSS score with scope change reflecting privilege escalation from the web UI context to OS root, though no public exploit has been identified at time of analysis and EPSS estimates only a 0.23% probability of near-term exploitation.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Obtain OPNsense admin credentials

Delivery

Reach web GUI over network

Exploit

Inject shell metacharacters into DHCP field

Install

Save configuration to trigger backend script

Script executes payload as root

Execute

Establish persistence on firewall

Impact

Pivot into protected network segments

Recon

Obtain OPNsense admin credentials

Delivery

Reach web GUI over network

Exploit

Inject shell metacharacters into DHCP field

Install

Save configuration to trigger backend script

Script executes payload as root

Execute

Establish persistence on firewall

Impact

Pivot into protected network segments

Vulnerability AssessmentAI

Exploitation	Exploitation requires (1) authenticated access to the OPNsense web GUI with privileges sufficient to edit DHCP configuration on an interface (PR:H in the CVSS vector), (2) the target running OPNsense core prior to 26.1.8 with DHCP service enabled on at least one configurable interface so the vulnerable shell-script processing path is reached, and (3) network reachability to the web management interface (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has obtained valid administrator (or sufficiently privileged operator) credentials for the OPNsense web UI - for example via phishing of a network engineer, reused credentials, or post-compromise pivoting from a management host - navigates to the DHCP configuration page for an interface and enters a crafted value containing shell metacharacters into a field that is later concatenated into a backend shell script. When the configuration is applied, the script executes the injected command as root, giving the attacker a persistent root shell on the firewall itself, from which they can sniff traffic, alter NAT/firewall rules, or pivot deeper into protected segments. …
Remediation	Vendor-released patch: OPNsense core 26.1.8 - upgrade via the built-in firmware update mechanism (System → Firmware → Updates) and consult the GitHub Security Advisory at https://github.com/opnsense/core/security/advisories/GHSA-5rx3-w735-74wm for advisory details. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all OPNsense instances to identify versions prior to 26.1.8; implement MFA for administrative access if not already in place. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-45158 vulnerability details – vuln.today

Back

OPNsense CVE-2026-45158

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code