OPNsense Core Flaw CVE-2026-45158 Allows Root RCE via DHCP Configuration Injection

A critical command injection vulnerability has been identified in OPNsense core versions prior to 26.1.8, potentially enabling unauthenticated remote attackers to execute arbitrary commands with root-level privileges by exploiting DHCP configuration settings. The flaw, cataloged as CVE-2026-45158 and classified under CWE-88 (improper neutralization of special elements), presents a severe security risk for organizations deploying OPNsense as their firewall or network edge solution.

The vulnerability specifically targets the DHCP configuration handling within OPNsense, where insufficient input sanitization allows attackers to inject operating system commands through crafted DHCP requests. Successful exploitation grants the attacker full root access, effectively giving them complete control over the affected firewall appliance. Systems running any OPNsense core version below 26.1.8 are vulnerable. Administrators should immediately verify their current installation version and apply the patched release. The official remediation guidance and additional technical indicators are available through security intelligence platforms tracking this CVE.

The exposure carries significant implications for network defenders. Root-level code execution on a perimeter security device opens pathways for lateral movement into internal networks, persistent compromise, or data exfiltration. Organizations running exposed OPNsense instances—particularly those accessible from untrusted networks—face heightened risk. Security teams should prioritize patching cycles, audit DHCP service configurations for anomalies, and monitor for signs of exploitation attempts. Given the availability of proof-of-concept details, active exploitation in the wild remains a credible near-term threat until widespread patch adoption occurs.