Skip to main content

SSH CVE-2026-35414

| EUVDEUVD-2026-18480 MEDIUM
Always-Incorrect Control Flow Implementation (CWE-670)
2026-04-02 mitre
4.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.8 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
10.3
EUVD ID Assigned
Apr 02, 2026 - 17:30 euvd
EUVD-2026-18480
Analysis Generated
Apr 02, 2026 - 17:30 vuln.today
CVE Published
Apr 02, 2026 - 17:08 nvd
MEDIUM 4.2

DescriptionCVE.org

OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

AnalysisAI

OpenSSH before version 10.3 mishandles the authorized_keys principals option when a principals list is combined with a Certificate Authority that uses certain comma character patterns, allowing authenticated local or remote users to disclose sensitive authorization information or manipulate authentication decisions. This vulnerability affects all OpenSSH versions prior to 10.3p1 and requires authenticated access (PR:L) with non-trivial attack complexity (AC:H), resulting in partial confidentiality and integrity impact. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

The vulnerability resides in OpenSSH's parsing and validation of the authorized_keys file, specifically in how the ssh daemon processes the principals option within certificate-based authentication scenarios. The principals option is used in conjunction with OpenSSH certificates to restrict which principals (identities) are authorized to use a given certificate. The root cause involves improper parsing (CWE-670: Improper Controls for Generation of Security-Relevant Values) when comma characters appear in both the principals list configuration and within the Certificate Authority's certificate data structure. This parsing error can cause the ssh daemon to incorrectly interpret authorization boundaries, potentially exposing principal names or allowing unintended principal matches. The affected component is the OpenSSH authentication subsystem (cpe:3.1:a:openbsd:openssh), which is the de facto SSH server implementation deployed across Unix-like systems globally.

RemediationAI

Upgrade OpenSSH to version 10.3p1 or later, which includes the fix for principals parsing in certificate-based authentication. Organizations unable to immediately patch should audit their authorized_keys files and certificate authority configurations for use of principals options in conjunction with commas in CA certificate data; if such configurations are not in use, the vulnerability exposure is minimal. Workarounds are not documented in available references, making patching the primary mitigation. Administrators should prioritize patching in environments that actively deploy OpenSSH certificate-based authentication with complex principal configurations. Refer to https://www.openssh.org/releasenotes.html#10.3p1 for explicit patch availability and https://marc.info/?l=openssh-unix-dev&m=177513443901484&w=2 for technical discussion of the issue.

More in SSH

View all
CVE-2014-6271 CRITICAL POC
9.8 Sep 24

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which

CVE-2014-6278 HIGH POC
8.8 Sep 30

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2014-7169 CRITICAL POC
9.8 Sep 25

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of

CVE-2012-6066 CRITICAL POC
9.3 Dec 04

freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons

CVE-2014-6277 CRITICAL POC
10.0 Sep 27

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2023-25136 MEDIUM POC
6.5 Feb 03

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se

CVE-2016-6210 MEDIUM POC
5.9 Feb 13

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static

CVE-2015-5600 HIGH POC
8.1 Aug 03

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin

CVE-2016-6515 HIGH POC
7.5 Aug 07

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2012-5975 CRITICAL POC
9.3 Dec 04

The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-35414 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy