OPNsense is a FreeBSD-based firewall and routing platform widely used for network security management. In versions prior to 26.1.4, multiple MVC API endpoints in OPNsense core perform critical state-changing operations via HTTP GET requests. The underlying framework's CSRF protection mechanism in ApiControllerBase only enforces validation on POST, PUT, and DELETE HTTP methods, leaving GET requests unprotected. Since these GET endpoints can modify system state, an attacker can craft malicious web pages that, when visited by an authenticated OPNsense user, cause unintended backend actions such as service reloads or configuration changes through the configd daemon. This constitutes an authenticated CSRF vulnerability (CWE-352) that compromises system integrity and availability by allowing unauthorized changes without user intent. The attack requires the victim to be authenticated and to visit a malicious website, but no additional user interaction beyond page visit is necessary. The vulnerability does not expose confidential data directly but can disrupt firewall operations or alter configurations, potentially weakening network defenses. The issue was publicly disclosed on March 11, 2026, and resolved in OPNsense version 26.1.4. No known exploits are reported in the wild at this time.

The vulnerability allows attackers to perform unauthorized state-changing operations on OPNsense firewall devices by exploiting authenticated users. This can lead to unintended service reloads or configuration modifications, potentially disrupting network security policies and firewall behavior. Organizations relying on OPNsense for perimeter defense or internal segmentation may experience degraded security posture, increased risk of network exposure, or downtime. Although confidentiality is not directly impacted, the integrity and availability of firewall configurations and services are at risk. Attackers could leverage this to weaken firewall rules, disable protections, or cause service interruptions, which may facilitate further attacks or data breaches. The requirement for user authentication and user interaction (visiting a malicious site) limits the attack scope but does not eliminate risk, especially in environments with many users or where users frequently access external web content. The medium CVSS score reflects this balance of impact and exploit complexity.

1. Upgrade all OPNsense core installations to version 26.1.4 or later, where this CSRF vulnerability is patched. 2. Review and restrict user access to the OPNsense web interface, enforcing the principle of least privilege to minimize the number of authenticated users exposed to potential CSRF attacks. 3. Implement network segmentation and firewall rules to limit administrative interface access to trusted networks or VPNs only, reducing exposure to malicious websites. 4. Educate users about the risks of visiting untrusted websites while authenticated to critical infrastructure management portals. 5. Consider deploying web application firewalls (WAFs) or reverse proxies that can detect and block suspicious HTTP GET requests that attempt state changes. 6. Monitor OPNsense logs for unusual configuration changes or service reloads that may indicate exploitation attempts. 7. If upgrading immediately is not feasible, temporarily disable or restrict access to vulnerable API endpoints or enforce additional CSRF protections via custom rules or plugins.