Skip to main content

OpenSSH CVE-2026-55655

| EUVDEUVD-2026-38413 MEDIUM
Improper Restriction of Communication Channel to Intended Endpoints (CWE-923)
2026-06-23 redhat GHSA-wcvf-3x75-j4c6
6.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (redhat) PRIMARY
MEDIUM
qualitative
NVD
6.1 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
vuln.today AI
5.0 MEDIUM

Local-only attack requiring low-privilege account, race/pre-binding complexity, victim-initiated X11 session, and no availability impact independently support each metric choice.

3.1 AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
4.0 AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Red Hat
5.0 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
CVSS changed
Jun 25, 2026 - 17:07 NVD
5.0 (MEDIUM) 6.1 (MEDIUM)
Analysis Generated
Jun 23, 2026 - 04:16 vuln.today

DescriptionNVD

A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A successful attack can compromise the confidentiality of forwarded X11 traffic, including sensitive window contents and input, and may allow some manipulation of the forwarded session.

AnalysisAI

X11 forwarding session hijacking in OpenSSH enables a local unprivileged attacker sharing a Linux client host to intercept and partially manipulate the victim's forwarded X11 display traffic by squatting on the predictable abstract UNIX domain socket name before the SSH client creates it. Affected deployments span OpenSSH packages across Red Hat Enterprise Linux 6 through 10, Red Hat Hardened Images, and OpenShift Container Platform 4. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker gains local unprivileged account on shared client host
Delivery
Pre-bind predictable abstract UNIX domain X socket name
Exploit
Victim initiates SSH session with X11 forwarding enabled
Execution
SSH client routes X11 traffic to attacker-controlled socket
Impact
Attacker captures keystrokes, window contents, and sensitive X11 session data

Vulnerability AssessmentAI

Exploitation X11 forwarding must be explicitly enabled for the SSH client session - either via 'ForwardX11 yes' or 'ForwardX11Trusted yes' in ssh_config, or via the -X or -Y command-line flags. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.0 with vector AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N captures the real-world risk reasonably well. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious unprivileged employee or contractor with a shell account on a shared Linux developer jump host monitors for peer SSH activity and pre-binds the predictable abstract UNIX domain socket name used by OpenSSH X11 forwarding before a privileged colleague initiates their SSH session with X11 enabled. The colleague's SSH client, finding the intended abstract socket already bound, routes the X11 forwarding channel through the attacker-controlled endpoint, giving the attacker a real-time view of the colleague's X11 session including passwords typed in terminal emulators, browser content displayed in X applications, and the ability to inject limited input into the session.
Remediation Consult the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-55655 for the patched OpenSSH package version, as no specific fixed version number has been confirmed in the available intelligence - patch availability per vendor advisory should be assumed pending confirmation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in SSH

View all
CVE-2014-6271 CRITICAL POC
9.8 Sep 24

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which

CVE-2014-6278 HIGH POC
8.8 Sep 30

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2014-7169 CRITICAL POC
9.8 Sep 25

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of

CVE-2012-6066 CRITICAL POC
9.3 Dec 04

freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons

CVE-2014-6277 CRITICAL POC
10.0 Sep 27

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2023-25136 MEDIUM POC
6.5 Feb 03

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se

CVE-2016-6210 MEDIUM POC
5.9 Feb 13

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static

CVE-2015-5600 HIGH POC
8.1 Aug 03

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin

CVE-2016-6515 HIGH POC
7.5 Aug 07

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2012-5975 CRITICAL POC
9.3 Dec 04

The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

Vendor StatusVendor

Debian

openssh
Release Status Fixed Version Urgency
bullseye undetermined 1:8.4p1-5+deb11u3 -
bullseye (security) undetermined 1:8.4p1-5+deb11u7 -
bookworm undetermined 1:9.2p1-2+deb12u10 -
bookworm (security) undetermined 1:9.2p1-2+deb12u9 -
trixie undetermined 1:10.0p1-7+deb13u4 -
trixie (security) undetermined 1:10.0p1-7+deb13u2 -
forky, sid undetermined 1:10.3p1-4 -
(unstable) fixed undetermined -

Share

CVE-2026-55655 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy