SB2026051223 - Multiple vulnerabilities in OPNsense

Description

This security bulletin contains information about 2 vulnerabilities.

1) OS Command Injection (CVE-ID: CVE-2026-44194)

The vulnerability allows a remote user to execute arbitrary system commands as root.

The vulnerability exists due to improper neutralization of special elements used in an os command in core/src/opnsense/scripts/auth/sync_user.php when synchronizing local user changes. A remote privileged user can supply a crafted email address as a username to execute arbitrary system commands as root.

The issue occurs because quoted email local-parts can contain shell metacharacters that pass username validation and are then interpreted by the shell.

2) Improper Neutralization of Argument Delimiters in a Command (CVE-ID: CVE-2026-45158)

The vulnerability allows a remote user to execute arbitrary code as root.

The vulnerability exists due to improper neutralization of argument delimiters in the DHCP configuration handling in src/etc/inc/interfaces.inc when processing attacker-controlled DHCP hostname values through the web interface. A remote user can supply a crafted hostname value to execute arbitrary code as root.

Exploitation requires page-interfaces privileges and is triggered when changes are applied or when the interface later issues a DHCP request.

Remediation

Install update from vendor's website.

References

• https://github.com/opnsense/core/security/advisories/GHSA-f59w-m967-9rf6
• https://github.com/advisories/GHSA-f59w-m967-9rf6
• https://github.com/opnsense/core/security/advisories/GHSA-5rx3-w735-74wm