TL;DR
A researcher from Hacking Cult published full technical details and proof-of-concept code for three OPNsense firewall flaws. The worst, CVE-2026-57155 (CVSS 9.9), escalates a low-privileged account into a full OPNsense root RCE. OPNsense fixed all three issues in versions 26.1.11 and 26.4.1p1.
Why It Matters
OPNsense guards the network edge for many homes and businesses. So a root bug on the firewall hands an attacker the whole perimeter. That is exactly the reach an OPNsense root RCE provides. CVE-2026-57155 stands out because it needs only the Firewall: Alias: Edit permission. A delegated operator, or anyone who steals such an account, can trigger it. Because the researcher released a public write-up and working PoC, the barrier to abuse just dropped. No in-the-wild exploitation has surfaced yet, but public exploit code shortens that timeline. The same researcher reported five OPNsense bugs in one week, so more detail may follow. Admins should treat the update as urgent.
How the Attacks Work
Each flaw starts from the web interface, and two of them reach root. The researcher confirmed a live root shell during testing. None of the sections below include working payloads.
Root RCE via GeoIP alias importer (CVE-2026-57155)
The GeoIP alias importer downloads a country-IP database from a user-supplied URL and unpacks it as root. The importer then uses the CSV country_code field as the output filename, without sanitizing it. Therefore, a crafted database can write attacker-controlled content outside the intended folder, anywhere on disk, as root. From there, the researcher chained that write to the default newsyslog cron job to run code as root. The source URL has no host limit, so the attacker just points it at their own server.
Stored XSS to root (CVE-2026-58390)
The OpenVPN status widget renders a client common_name into an HTML attribute without quote-safe encoding. When a server uses username-as-common-name with RADIUS or LDAP, the user picks that name. As a result, a username holding a double quote breaks out of the attribute and runs script in an admin’s browser. That admin session drives configd as root, which the researcher used to reset the root password and open a root shell.
Config line injection (CVE-2026-57154)
The third flaw, rated CVSS 8.1, accepts carriage-return and newline characters in single-line fields. An authenticated user with Dnsmasq settings can then add extra directives to the generated dnsmasq.conf. Consequently, that operator can change service behavior beyond the exposed option, create files, or crash the daemon.
Affected Versions
All three issues affect OPNsense 26.1.10 and earlier, plus 26.4.1 and earlier. The OpenVPN widget bug traces to builds up to 26.1.9. Both the stable and business release lines carried the flaws. OPNsense corrected all three in 26.1.11 and 26.4.1p1.
Patch and Mitigation
Update without delay to OPNsense 26.1.11 or 26.4.1p1. No workaround fully removes the OPNsense root RCE risk, so patching is the real fix. Meanwhile, tighten who holds the Firewall: Alias: Edit and Dnsmasq permissions. Also restrict federated OpenVPN usernames that can carry quote characters. For the advisory list and fix notes, follow the project’s OPNsense core security advisories. Finally, review any accounts that could have reached these settings before you patched.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.