SB2026040954 - Cross-site request forgery in OPNsense

Description

This security bulletin contains information about 1 security vulnerability.

1) Cross-site request forgery (CVE-ID: CVE-2026-30868)

The vulnerability allows a remote user to cause unauthorized system state changes.

The vulnerability exists due to cross-site request forgery in state-changing MVC API endpoints when handling authenticated HTTP GET requests without CSRF validation. A remote user can trick a victim into visiting a malicious website to cause unauthorized system state changes.

User interaction is required, and exploitation relies on cross-site top-level navigation GET requests including the session cookie because it is configured with SameSite=Lax.

Remediation

Install update from vendor's website.

References

• https://github.com/opnsense/core/security/advisories/GHSA-pp58-2qpc-3j3f
• https://github.com/advisories/GHSA-pp58-2qpc-3j3f