CVE-2026-44194 Overview
CVE-2026-44194 is an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense FreeBSD-based firewall and routing platform. The flaw resides in the local user synchronization flow inside core/src/opnsense/scripts/auth/sync_user.php. An authenticated user with user-management privileges can bypass input validation by encoding a malicious payload as an RFC-compliant email address. The crafted input passes validation and reaches the underlying operating system, where it executes shell commands as root. The issue is classified under [CWE-78] OS Command Injection. OPNsense fixed the vulnerability in version 26.1.8.
Critical Impact
Authenticated administrators with user-management rights can execute arbitrary commands as root on the firewall appliance, leading to full device compromise.
Affected Products
- OPNsense versions prior to 26.1.8
- OPNsense core component sync_user.php in the authentication subsystem
- Deployments exposing the user-management interface to privileged accounts
Discovery Timeline
- 2026-05-13 - CVE-2026-44194 published to the National Vulnerability Database
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44194
Vulnerability Analysis
The vulnerability is an OS command injection in the OPNsense local user synchronization workflow. The script core/src/opnsense/scripts/auth/sync_user.php accepts user attribute data, including an email address field, and passes that data into shell-level operations without adequate sanitization. The input validation routine confirms that the supplied value conforms to email address syntax but does not reject characters and constructs that carry semantic meaning to the shell. An authenticated attacker holding the user-management privilege can craft an email-shaped string that contains injected shell metacharacters and command fragments. When the synchronization process executes the resulting command line, the appliance interprets the payload as additional commands and runs them with root privileges.
Root Cause
The root cause is insufficient input sanitization in the user synchronization script. Validation logic enforces email address syntax compliance but fails to escape or reject shell metacharacters that remain syntactically valid within the local-part or quoted segments of an address. Operating system commands constructed from this attacker-controlled string therefore inherit injected payloads.
Attack Vector
Exploitation requires an authenticated session with user-management privileges. The attacker submits or synchronizes a user record containing a maliciously formatted email address. The OPNsense backend invokes sync_user.php, which assembles a shell command that incorporates the email value. Shell interpretation of the embedded metacharacters causes injected commands to execute as root, providing full control of the firewall.
No verified public exploit code is available. Refer to the GitHub Security Advisory GHSA-f59w-m967-9rf6 for the maintainer's technical description.
Detection Methods for CVE-2026-44194
Indicators of Compromise
- Unexpected user records containing email addresses with shell metacharacters such as backticks, $(), semicolons, or pipe symbols inside quoted local-parts.
- New or modified entries in /etc/passwd, cron tables, or SSH authorized_keys files on the OPNsense appliance following user synchronization events.
- Outbound network connections originating from the firewall to attacker-controlled hosts shortly after user-management activity.
Detection Strategies
- Audit OPNsense system logs and configuration history for user-create or user-update events with anomalous email field contents.
- Inspect process accounting for child processes of sync_user.php that are not part of normal synchronization, such as shells, curl, or wget.
- Compare the running OPNsense version against 26.1.8 across all managed appliances to identify exposed instances.
Monitoring Recommendations
- Forward OPNsense audit, authentication, and system logs to a centralized logging platform for correlation and retention.
- Alert on changes to administrator and user-management role assignments to detect privilege staging that precedes exploitation.
- Monitor egress traffic from firewall management interfaces, which should not initiate arbitrary outbound sessions during normal operation.
How to Mitigate CVE-2026-44194
Immediate Actions Required
- Upgrade all OPNsense systems to version 26.1.8 or later, where the input validation in sync_user.php is corrected.
- Restrict accounts holding user-management privileges to a minimal set of trusted administrators.
- Review existing user records and remove any entries containing suspicious email field contents.
Patch Information
The vendor fixed CVE-2026-44194 in OPNsense 26.1.8. The patch addresses the unsafe handling of email field input within core/src/opnsense/scripts/auth/sync_user.php. Refer to the OPNsense GitHub Security Advisory for upgrade instructions and the full advisory text.
Workarounds
- Limit access to the OPNsense web administration interface to trusted management networks using firewall rules.
- Enforce multi-factor authentication on all administrative accounts to reduce the risk of credential compromise leading to exploitation.
- Temporarily revoke user-management privileges from non-essential operators until the upgrade to 26.1.8 is completed.
# Verify the installed OPNsense version and upgrade if below 26.1.8
opnsense-version
opnsense-update -ub
opnsense-update -r 26.1.8
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
