Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Establishing a tunnel needs an authenticated session (PR:L) and a non-default config; impact is bypassing a forwarding restriction to gain network reachability (I:L), with no direct confidentiality or availability loss.
Primary rating from Vendor (mitre).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
7DescriptionNVD
In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.
AnalysisAI
Security-control bypass in OpenSSH sshd before 10.4 causes the DisableForwarding=yes hardening directive to be silently ignored when PermitTunnel=yes is also set, so tun-device forwarding remains available despite an administrator's explicit policy to disable all forwarding. Affected operators are those who rely on DisableForwarding as a defense-in-depth restriction; the flaw lets an authenticated user establish layer-2/3 tunnels the configuration was meant to forbid. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the server run sshd with BOTH DisableForwarding=yes AND PermitTunnel=yes (point-to-point or ethernet) simultaneously - a non-default configuration where the administrator intended forwarding to be off but explicitly permitted tunneling. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are consistent and point to a low-to-moderate real-world priority despite the 7.5 CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An administrator hardens a bastion with DisableForwarding=yes but leaves PermitTunnel=yes in a shared config, believing all forwarding is off. An authenticated user with SSH access to that host requests a tun tunnel (ssh -w) and, because the override fails, successfully establishes a layer-3 tunnel into networks the policy intended to seal off, enabling pivoting. … |
| Remediation | Vendor-released patch: upgrade sshd to OpenSSH 10.4 (portable 10.4p1) or later per the release notes at https://www.openssh.com/releasenotes.html#10.4p1, which corrects the precedence so DisableForwarding=yes overrides PermitTunnel. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running OpenSSH before version 10.4 and map those with DisableForwarding=yes configurations to assess exposure scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
Same weakness CWE-348 – Use of Less Trusted Source
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42142
GHSA-gcm2-x6hm-q4h3