Skip to main content

OpenSSH CVE-2026-35386

| EUVDEUVD-2026-18400 HIGH
Incorrect Behavior Order (CWE-696)
2026-04-02 cve@mitre.org
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

AC:H because exploitation needs both an untrusted username on the command line and a non-default %-expansion ssh_config; PR:N as the attacker only supplies input; full command execution yields C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jul 07, 2026 - 16:14 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 07, 2026 - 16:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 07, 2026 - 16:07 vuln.today
cvss_changed
Severity Changed
Jul 07, 2026 - 16:07 NVD
LOW HIGH
CVSS changed
Jul 07, 2026 - 16:07 NVD
3.6 (LOW) 8.1 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
10.3
EUVD ID Assigned
Apr 02, 2026 - 17:22 euvd
EUVD-2026-18400
Analysis Generated
Apr 02, 2026 - 17:22 vuln.today
CVE Published
Apr 02, 2026 - 17:16 nvd
LOW 3.6

DescriptionNVD

In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.

AnalysisAI

Argument/command injection in OpenSSH before 10.3 lets shell metacharacters embedded in an untrusted username trigger command execution on the SSH-client host. It affects deployments that both feed an attacker-influenced username to the ssh command line and use a non-default ssh_config where %-token expansion (e.g. in ProxyCommand/LocalCommand) is enabled. There is no public exploit identified at time of analysis, EPSS is negligible (0.01%), and it is not in CISA KEV; a fixed release (10.3/10.3p1) is available.

Technical ContextAI

OpenSSH is the OpenBSD-maintained SSH client/server suite (CPE cpe:2.3:a:openbsd:openssh) that ships as the default SSH implementation on virtually all Linux/BSD/macOS systems. The ssh_config directives ProxyCommand, LocalCommand and similar support percent-token expansion, where tokens such as %r (remote username) and %u are substituted into a string that is subsequently handed to a shell. CWE-696 (Incorrect Behavior Order) is the root cause: the username value is expanded into the command string before it is properly neutralized, so shell metacharacters in the username survive into shell interpretation. When an application or wrapper passes a username derived from untrusted input to ssh, and the local ssh_config uses these %-tokens, the metacharacters are executed rather than treated as literal text.

RemediationAI

Vendor-released patch: upgrade to OpenSSH 10.3 (portable 10.3p1) or later per the OpenSSH release notes (https://www.openssh.org/releasenotes.html#10.3p1); on Ubuntu apply the packaged fix from USN-8222-1 (https://ubuntu.com/security/notices/USN-8222-1) and equivalent distro updates elsewhere. If immediate patching is not possible, eliminate the trigger conditions: stop passing untrusted or externally-derived usernames directly onto the ssh command line (validate/allowlist usernames to safe characters before invoking ssh), and review ssh_config and ssh_config.d for ProxyCommand, LocalCommand or other directives using %r/%u tokens, removing or hardening them where the username is not fully trusted - the trade-off is loss of the dynamic proxy/local-command behavior those directives provide. These controls address the exact preconditions rather than relying on generic defense in depth.

More in SSH

View all
CVE-2014-6271 CRITICAL POC
9.8 Sep 24

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which

CVE-2014-6278 HIGH POC
8.8 Sep 30

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2014-7169 CRITICAL POC
9.8 Sep 25

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of

CVE-2012-6066 CRITICAL POC
9.3 Dec 04

freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons

CVE-2014-6277 CRITICAL POC
10.0 Sep 27

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2023-25136 MEDIUM POC
6.5 Feb 03

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se

CVE-2016-6210 MEDIUM POC
5.9 Feb 13

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static

CVE-2015-5600 HIGH POC
8.1 Aug 03

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin

CVE-2016-6515 HIGH POC
7.5 Aug 07

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2012-5975 CRITICAL POC
9.3 Dec 04

The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

Share

CVE-2026-35386 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy