CVE-2026-44194
CRITICAL · 9.1Public PoC + patch available within 24h, but not KEV-listed; defender urgency real.
What: Authenticated Remote Code Execution in OPNsense core <26.1.8 allowing root command execution via input validation bypass in user synchronization; CVSS 9.1 CRITICAL.
Why it matters: Public PoC disclosed within 24 hours of CVE publication; affects firewall/routing appliance with user-management privileges required; patch (26.1.8) available same day. Not KEV-listed yet, but active researcher/defender chatter indicates immediate triage priority for OPNsense deployments.
Where it's seen: Vulnerability feeds (Vulmon, OffSeq) aggregating CVE details; security researchers posting PoC links; advisor tweets pushing immediate patching; no mass exploitation signal yet but high-value target (firewall) + working PoC = rapid weaponization risk.
RISK: CRITICAL — Firewall appliance RCE, CVSS 9.1, public PoC, trivial patch adoption barrier.
Description
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user with user-management privileges to execute arbitrary system commands as root. An attacker can bypass input validation by formatting their malicious payload as a compliant email address, allowing shell commands to reach the underlying operating system. The flaw exists in the local user synchronization flow, within core/src/opnsense/scripts/auth/sync_user.php. This vulnerability is fixed in 26.1.8.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- High
- User interaction
- None
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- High