XPath Injection in OPNsense - CVE-2026-53582
Published: June 15, 2026
Vulnerability identifier: #VU134538
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-53582
CWE-ID: CWE-643
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Deciso
Affected software:
OPNsense
OPNsense
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information and escalate privileges.
The vulnerability exists due to xpath injection in the trust module refid field when processing stored ca object data during API retrieval. A remote user can store a crafted xpath expression in the refid field and trigger its evaluation via the ca get endpoint to disclose sensitive information and escalate privileges.
The issue is exploitable by a user with System: CA Manager permissions, and the boolean side channel can be used to extract secrets from config.xml character by character.
How to mitigate CVE-2026-53582
Install security update from vendor's website.