Deciso B.V.
OPNsense
See the latest tracked release, confirm when it was published, and subscribe for update emails.
26.1.9
- Release date
- June 02, 2026
- Security status
- 5 high-severity CVEs tracked in the last 90 days. Current version not affected.
Source
GitHub API
Public release notes are linked for the latest stored release.
Release history
See the latest published releases stored for this product.
| Version | Published | Notes |
|---|---|---|
| 26.1.9 | 2026-06-02 | Release Notes |
| 26.1.8 | 2026-05-12 | Release Notes |
| 26.1.7 | 2026-04-30 | Release Notes |
| 26.1.6 | 2026-04-09 | Release Notes |
| 26.1.5 | 2026-03-25 | Release Notes |
| 26.1.4 | 2026-03-11 | Release Notes |
Vulnerability tracking
versionPing monitors CVEs for this product. Matching CVEs are listed below. We only display CVEs with a CVSS score of 7.0 or higher that were published within the last 90 days.
Affected status is inferred from published affected version ranges where available. Always verify against the vendor advisory before making production decisions.
| CVE | Severity | Published | Status | Summary |
|---|---|---|---|---|
| CVE-2026-45158 | CRITICAL (9.1) | 2026-05-13 | Current versionnot affected | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is processed by a shell script, allowing remote code execution as root on the underlying operating system. This vulnerability is fixed in 26.1.8. Affected versions
|
| CVE-2026-44194 | CRITICAL (9.1) | 2026-05-13 | Current versionnot affected | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user with user-management privileges to execute arbitrary system commands as root. An attacker can bypass input validation by formatting their malicious payload as a compliant email address, allowing shell commands to reach the underlying operating system. The flaw exists in the local user synchronization flow, within core/src/opnsense/scripts/auth/sync_user.php. This vulnerability is fixed in 26.1.8. Affected versions
|
| CVE-2026-44193 | CRITICAL (9.1) | 2026-05-13 | Current versionnot affected | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading to Remote Code Execution. This vulnerability is fixed in 26.1.7. Affected versions
|
| CVE-2026-34578 | HIGH (8.2) | 2026-04-09 | Current versionnot affected | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6. Affected versions
|
| CVE-2026-30868 | HIGH (8.1) | 2026-03-11 | Current versionnot affected | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.4, multiple OPNsense MVC API endpoints perform state‑changing operations but are accessible via HTTP GET requests without CSRF protection. The framework CSRF validation in ApiControllerBase only applies to POST/PUT/DELETE methods, allowing authenticated GET requests to bypass CSRF verification. As a result, a malicious website can trigger privileged backend actions when visited by an authenticated user, causing unintended service reloads and configuration changes through configd. This results in an authenticated Cross‑Site Request Forgery vulnerability allowing unauthorized system state changes. This vulnerability is fixed in 26.1.4. Affected versions
|