CVE-2026-44195 Overview
CVE-2026-44195 is a logic flaw in the OPNsense lockout_handler that allows unauthenticated attackers to bypass brute-force protections. OPNsense is a FreeBSD-based firewall and routing platform. Versions prior to 26.1.7 fail to correctly evaluate authentication outcomes when parsing log entries. By interjecting a crafted username containing the success keyword Accepted or Successful login, an attacker resets the failure counter for their source IP address. The counter never reaches the lockout threshold, so brute-force attempts continue indefinitely against the authentication interface. The vulnerability is fixed in OPNsense 26.1.7.
Critical Impact
Attackers can perform unlimited brute-force authentication attempts against OPNsense web and API interfaces, bypassing the account lockout control that normally throttles guessing attacks.
Affected Products
- OPNsense versions prior to 26.1.7
- OPNsense Community Edition (FreeBSD-based firewall/routing platform)
- OPNsense Business Edition builds derived from affected core releases
Discovery Timeline
- 2026-05-13 - CVE-2026-44195 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44195
Vulnerability Analysis
The flaw resides in the OPNsense lockout_handler component responsible for tracking failed authentication attempts per source IP. The handler inspects authentication log entries to determine whether a recent event constitutes a success or failure. It performs this evaluation using substring matching against keywords such as Accepted and Successful login. The matching logic does not differentiate between log fields, so attacker-controlled values inside the username field are evaluated against the same keyword set. This weakness is classified under [CWE-307]: Improper Restriction of Excessive Authentication Attempts.
Root Cause
The lockout_handler parses authentication log lines without isolating the username field from system-generated status text. When a username contains a success keyword, the handler interprets the corresponding log entry as a successful login. It then resets the failure counter for the attacker's IP address, even though the authentication attempt failed. The control intended to enforce rate limiting becomes attacker-influenced state.
Attack Vector
An unauthenticated remote attacker reaches the OPNsense authentication endpoint over the network. The attacker submits a sequence of normal brute-force attempts using candidate passwords against a target account. Between attempts, the attacker submits one login request using a username string containing Accepted or Successful login. The injected entry resets the failure counter while the brute-force loop continues. The threshold is never reached, so no IP lockout is applied. The published advisory details the affected handler and the fixed release. See the GitHub Security Advisory GHSA-h3vx-4q27-rc42 for vendor details.
Detection Methods for CVE-2026-44195
Indicators of Compromise
- Authentication log entries containing usernames with the literal strings Accepted or Successful login
- High volumes of failed logins from a single source IP without corresponding lockout events
- Repeated authentication attempts against the OPNsense web GUI or API exceeding normal user behavior
Detection Strategies
- Parse /var/log/auth.log and OPNsense audit logs for username fields containing success keywords, treating them as injection attempts
- Correlate failed login counts per source IP against lockout events; deviation indicates bypass activity
- Alert on authentication attempts from IPs that exceed configured failure thresholds without triggering lockouts
Monitoring Recommendations
- Forward OPNsense authentication and audit logs to a central logging or SIEM platform for correlation
- Track baseline authentication failure rates per account and per source IP, and alert on sustained deviations
- Monitor outbound and management-plane access to firewall administrative interfaces for unexpected sources
How to Mitigate CVE-2026-44195
Immediate Actions Required
- Upgrade OPNsense to version 26.1.7 or later, which contains the corrected lockout_handler logic
- Restrict access to the OPNsense web GUI and API to trusted management networks only
- Rotate credentials for any administrative accounts exposed to untrusted networks since the affected versions were deployed
Patch Information
OPNsense fixed the issue in release 26.1.7. The vendor advisory is published as GHSA-h3vx-4q27-rc42. Apply the update through the OPNsense firmware updater under System, Firmware, Updates, or rebuild from upstream sources at the corresponding tag.
Workarounds
- Place the OPNsense management interface behind a VPN or jump host to remove unauthenticated network exposure
- Enforce firewall rules limiting source IPs permitted to reach the GUI and API listeners
- Enable multi-factor authentication on administrative accounts to reduce the value of password guessing
# Example: restrict GUI access to a management subnet using pf-style rules
# Replace 10.10.0.0/24 with your administrative network
pass in quick on igb0 proto tcp from 10.10.0.0/24 to (self) port 443 keep state
block in quick on igb0 proto tcp to (self) port 443
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
