Skip to main content

OpenSSH CVE-2026-59999

| EUVDEUVD-2026-42142 HIGH
Use of Less Trusted Source (CWE-348)
2026-07-08 mitre GHSA-gcm2-x6hm-q4h3
7.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (mitre) PRIMARY
MEDIUM
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
4.3 LOW

Establishing a tunnel needs an authenticated session (PR:L) and a non-default config; impact is bypassing a forwarding restriction to gain network reachability (I:L), with no direct confidentiality or availability loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jul 09, 2026 - 17:13 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 09, 2026 - 17:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 09, 2026 - 17:07 vuln.today
cvss_changed
Severity Changed
Jul 09, 2026 - 17:07 NVD
MEDIUM HIGH
CVSS changed
Jul 09, 2026 - 17:07 NVD
5.9 (MEDIUM) 7.5 (HIGH)
Patch available
Jul 08, 2026 - 02:01 EUVD
Analysis Generated
Jul 08, 2026 - 01:26 vuln.today

DescriptionNVD

In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.

AnalysisAI

Security-control bypass in OpenSSH sshd before 10.4 causes the DisableForwarding=yes hardening directive to be silently ignored when PermitTunnel=yes is also set, so tun-device forwarding remains available despite an administrator's explicit policy to disable all forwarding. Affected operators are those who rely on DisableForwarding as a defense-in-depth restriction; the flaw lets an authenticated user establish layer-2/3 tunnels the configuration was meant to forbid. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to sshd with valid credentials
Delivery
Identify DisableForwarding=yes with PermitTunnel=yes
Exploit
Request tun tunnel via ssh -w
Execution
Override fails, tunnel established
Impact
Pivot into restricted network segment

Vulnerability AssessmentAI

Exploitation Exploitation requires that the server run sshd with BOTH DisableForwarding=yes AND PermitTunnel=yes (point-to-point or ethernet) simultaneously - a non-default configuration where the administrator intended forwarding to be off but explicitly permitted tunneling. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are consistent and point to a low-to-moderate real-world priority despite the 7.5 CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An administrator hardens a bastion with DisableForwarding=yes but leaves PermitTunnel=yes in a shared config, believing all forwarding is off. An authenticated user with SSH access to that host requests a tun tunnel (ssh -w) and, because the override fails, successfully establishes a layer-3 tunnel into networks the policy intended to seal off, enabling pivoting. …
Remediation Vendor-released patch: upgrade sshd to OpenSSH 10.4 (portable 10.4p1) or later per the release notes at https://www.openssh.com/releasenotes.html#10.4p1, which corrects the precedence so DisableForwarding=yes overrides PermitTunnel. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running OpenSSH before version 10.4 and map those with DisableForwarding=yes configurations to assess exposure scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in SSH

View all
CVE-2014-6271 CRITICAL POC
9.8 Sep 24

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which

CVE-2014-6278 HIGH POC
8.8 Sep 30

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2014-7169 CRITICAL POC
9.8 Sep 25

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of

CVE-2012-6066 CRITICAL POC
9.3 Dec 04

freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons

CVE-2014-6277 CRITICAL POC
10.0 Sep 27

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2023-25136 MEDIUM POC
6.5 Feb 03

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se

CVE-2016-6210 MEDIUM POC
5.9 Feb 13

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static

CVE-2015-5600 HIGH POC
8.1 Aug 03

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin

CVE-2016-6515 HIGH POC
7.5 Aug 07

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2012-5975 CRITICAL POC
9.3 Dec 04

The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

Share

CVE-2026-59999 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy