🚨 BREAKING

OPNsense RCE: Critical Flaw Allows Root Access Via Malformed Email Address

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityremote-code-executioncwe-78
OPNsense RCE: Critical Flaw Allows Root Access Via Malformed Email Address

The National Vulnerability Database has disclosed a critical Remote Code Execution (RCE) vulnerability, CVE-2026-44194, affecting OPNsense, the FreeBSD-based firewall and routing platform. Rated with a CVSS score of 9.1, this flaw allows an authenticated user with user-management privileges to execute arbitrary system commands as root. The vulnerability exists in the local user synchronization flow (core/src/opnsense/scripts/auth/sync_user.php).

Attackers can bypass input validation by formatting a malicious payload to appear as a compliant email address. This technique allows shell commands to reach the underlying operating system, elevating privileges and granting full control over the firewall. The attack vector is network-based with low attack complexity, requiring high privileges (PR:H) but no user interaction (UI:N).

This is a severe issue. An attacker who gains administrative access to an OPNsense device can effectively control network traffic, bypass security controls, and establish persistent access to the internal network. The vulnerability is fixed in OPNsense version 26.1.8. Organizations running OPNsense appliances must prioritize patching immediately.

What This Means For You

  • If your organization uses OPNsense, check your appliance version immediately. Any version prior to 26.1.8 is vulnerable to CVE-2026-44194. Patch to 26.1.8 or later without delay. Review administrative user activity logs for any suspicious user management or configuration changes. An attacker exploiting this could gain full control of your network perimeter.

Related ATT&CK Techniques

T1204.002 Malicious File Execution T1059.004 Command and Scripting Interpreter: Unix Shell Execution T1078.004 Valid Accounts: Cloud Accounts Persistence

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1059.004 Execution

CVE-2026-44194 - OPNsense User Management RCE via Malformed Email

Sigma YAML — free preview 
title: CVE-2026-44194 - OPNsense User Management RCE via Malformed Email
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
  Detects the execution of the OPNsense user synchronization script (sync_user.php) with a malformed email address containing command injection payloads. This is the primary indicator for CVE-2026-44194, allowing an authenticated attacker with user-management privileges to execute arbitrary commands as root.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44194/
tags:
  - attack.execution
  - attack.t1059.004
logsource:
    category: process_creation
detection:
  selection:
      Image|endswith:
          - '/usr/local/bin/php'
      CommandLine|contains:
          - 'opnsense/scripts/auth/sync_user.php'
      CommandLine|contains:
          - 'email=' # The vulnerable parameter
      CommandLine|contains:
          - 'root' # Likely target for RCE
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44194 RCE OPNsense firewall and routing platform < 26.1.8
CVE-2026-44194 RCE Authenticated RCE via user-management privileges
CVE-2026-44194 RCE Bypass input validation by formatting payload as email address
CVE-2026-44194 RCE Vulnerable component: core/src/opnsense/scripts/auth/sync_user.php

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-32991: Team Member Privilege Escalation to Owner Account

CVE-2026-32991 — Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.

vulnerabilityCVEhigh-severitycwe-863
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-29206: SQL Injection in sqloptimizer via Slow Query Logs

CVE-2026-29206 — Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 7 Sigma

OPNsense RCE: Critical Flaw Allows Root Access via DHCP Input

CVE-2026-45158 — OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-88
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 4 IOCs /⚙ 3 Sigma